Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 10 Feb 1998 14:45:32 -0800 (PST)
From:      Archie Cobbs <archie@whistle.com>
To:        avalon@coombs.anu.edu.au (Darren Reed)
Cc:        nash@Mcs.Net, freebsd-hackers@FreeBSD.ORG
Subject:   Re: ipfw logs ports for fragments
Message-ID:  <199802102245.OAA05680@bubba.whistle.com>
In-Reply-To: <199802102235.OAA00832@hub.freebsd.org> from Darren Reed at "Feb 11, 98 09:35:16 am"
next in thread | previous in thread | raw e-mail | index | archive | help 
Darren Reed writes:
> > Does the fact that the rule does not specify IP_FW_F_FRAG mean that
> > the sysadmin did not intend this rule to apply to non-zero offset
> > fragments?
> 
> No, it means they're not matching fragments inparticular.

Right- this make the most sense I think. No IP_FW_F_FRAG means it's
a "don't care".

> > But what is the semantics of NOT specifying the IP_FW_F_FRAG flag?
> > Does this mean the rule ONLY applies to zero-offset fragments?
> 
> No, it means you don't care about whether or not it is fragmented.

Right.

> > PROBABLY NOT -- this would be different, unexpected behavoir. Plus
> > everybody's firewalls would suddenly start leaking non-zero offset
> > fragments, which would be harmless but silly. OK, let this be decided.
> 
> Huh ?

What I meant was that the answer to the question ``Does this mean the
rule ONLY applies to zero-offset fragments?'' is probably NOT. Because
if we change the behavior to do this, suddenly a bunch of rules will
change their semantics (ignore my confusing example).

> > Now the question is.. which exception to make?
> > 
> >  #1 Don't even TRY to match rules containing port ranges and/or flags
> >     to non-zero offset fragments.
> 
> Correct.

OK with me -- as long as everyone realized that this is going to change
the current behavior.

> >  #2 Match port range/flag rules to non-zero offset fragments by testing
> >     the rule AS IF it did not contain the port range and/or flag
> >     restrictions.
> 
> Wrong.

That's what we currently do.

Whether #1 or #2 -- the important thing is to document it.

-Archie

___________________________________________________________________________
Archie Cobbs   *   Whistle Communications, Inc.  *   http://www.whistle.com

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe hackers" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199802102245.OAA05680>