Date: Mon, 24 Jun 2002 07:19:33 -0700 (PDT) From: Archie Cobbs <archie@dellroad.org> To: Luigi Rizzo <rizzo@icir.org> Cc: ipfw@freebsd.org Subject: Re: a bug in divert handling of fragments Message-ID: <200206241419.g5OEJXk65809@arch20m.dellroad.org> In-Reply-To: <20020621073804.B79754@iguana.icir.org> "from Luigi Rizzo at Jun 21, 2002 07:38:04 am"
next in thread | previous in thread | raw e-mail | index | archive | help
Luigi Rizzo writes: > This is in disagreement with the comment, and almost certainly > not what one wants, so I believe this has to be fixed. > I see two possible alternatives: > > #1: only trust divert info for the fragment with offset 0 > (i.e. the one which should have headers etc.) > > #2: keep as good the info from the first incoming fragment with > a non-zero *divinfo (i.e. one which matched a divert rule). > > I would prefer #1 because it is less prone to attacks and easier to > implement, and also because there is a lot more information that > the firewall can use to select the packet. #1 sounds good to me too.. -Archie __________________________________________________________________________ Archie Cobbs * Packet Design * http://www.packetdesign.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200206241419.g5OEJXk65809>