From owner-freebsd-ipfw@FreeBSD.ORG Thu Apr 3 23:33:14 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A5ED937B401 for ; Thu, 3 Apr 2003 23:33:14 -0800 (PST) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3936D43F93 for ; Thu, 3 Apr 2003 23:33:14 -0800 (PST) (envelope-from rizzo@xorpc.icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.9/8.12.3) with ESMTP id h347XBCO058985; Thu, 3 Apr 2003 23:33:11 -0800 (PST) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.9/8.12.3/Submit) id h347X3Ie058984; Thu, 3 Apr 2003 23:33:03 -0800 (PST) (envelope-from rizzo) Date: Thu, 3 Apr 2003 23:33:03 -0800 From: Luigi Rizzo To: jeremie le-hen Message-ID: <20030403233303.B58813@xorpc.icir.org> References: <20030403215327.GJ7538@annelo.epita.fr> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20030403215327.GJ7538@annelo.epita.fr>; from le-hen_j@epita.fr on Thu, Apr 03, 2003 at 11:53:27PM +0200 cc: ipfw@freebsd.org Subject: Re: Implementing ranges in ipfw2 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Apr 2003 07:33:14 -0000 i would just implement the iplen check, there is another option which deals with fragment and can be used in conjunction with this one if needed. Also a different handling of fragments (when talking of size) makes little sense because one could always force a small MTU to generate short packets. The reason people are generally concerned with fragments is that the protocol-specific information (port numbers etc) are not available in fragments past the first one, but the length information is in the IP header anyways. cheers luigi On Thu, Apr 03, 2003 at 11:53:27PM +0200, jeremie le-hen wrote: > Hi, > > I going to implement ranges for IPLEN using the same way as for transport > layer ports (struct _ipfw_insn_u16). But I'm wondering if this kind of test > should be only applied on first/only fragments, since a malicious application > could use small fragment in order to bypass firewall rules. > > I'm waiting for your comments. > -- > Jeremie aka TtZ > le-hen_j@epita.fr > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"