From owner-freebsd-ipfw  Sun Mar 12 14:50:58 2000
Delivered-To: freebsd-ipfw@freebsd.org
Received: from fledge.watson.org (fledge.watson.org [204.156.12.50])
	by hub.freebsd.org (Postfix) with ESMTP id 8B54637B6BC
	for <freebsd-ipfw@FreeBSD.ORG>; Sun, 12 Mar 2000 14:50:55 -0800 (PST)
	(envelope-from robert@cyrus.watson.org)
Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3])
	by fledge.watson.org (8.9.3/8.9.3) with SMTP id RAA07413;
	Sun, 12 Mar 2000 17:52:08 -0500 (EST)
	(envelope-from robert@cyrus.watson.org)
Date: Sun, 12 Mar 2000 17:52:07 -0500 (EST)
From: Robert Watson <robert@cyrus.watson.org>
X-Sender: robert@fledge.watson.org
Reply-To: Robert Watson <robert+freebsd@cyrus.watson.org>
To: Luigi Rizzo <luigi@info.iet.unipi.it>
Cc: Mike Heffner <spock@techfour.net>, freebsd-ipfw@FreeBSD.ORG
Subject: Re: ipfw doesn't match when src == dest
In-Reply-To: <200003101136.MAA75621@info.iet.unipi.it>
Message-ID: <Pine.NEB.3.96L.1000312174746.6734E-100000@fledge.watson.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-ipfw@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Fri, 10 Mar 2000, Luigi Rizzo wrote:

> > Hello,
> > 
> > When I recently redid my firewall, I wanted to block a strange packet from my
> > cablemodem, 
> > 
> > Deny P:2 192.168.100.1 192.168.100.1 in via ed1
> 
> are you sure that the logging code prints the right thing ?
> I noticed (from source code analysis) it does strange things with
> fragments, it might as well misbehave with short packets etc.

Having spent about two minutes looking at the ipfw code, it looks like
there are no false accepts for ultra-fragmented UDP/TCP/ICMP packets
(i.e., the transmitter fragments the IP packet during UDP/TCP headers to
avoid packet matching) as PULLUP_TO drops if there isn't room for the TCP
or UDP header in any packet with ip->ip_p set appropriately.  However, it
looks like one side effect of this is that small fragments later in a
packet (such as the last 4 bytes of a TCP packet that was fragmented on
the path) will also be dropped as a result, as the IP body wouldn't have
room for a TCP header.

I believe that the correct test should be to drop only packets that are
either unfragmented, or the first fragment, if they are two short--not any
IP packet regardless of fragmentation.

As I said, this was a real quick source code inspection, and I have not
tested it with some characteristic packets.  I could also either not be a
problem, or be far worse.

  Robert N M Watson 

robert@fledge.watson.org              http://www.watson.org/~robert/
PGP key fingerprint: AF B5 5F FF A6 4A 79 37  ED 5F 55 E9 58 04 6A B1
TIS Labs at Network Associates, Safeport Network Services



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message


From owner-freebsd-ipfw  Sun Mar 12 21:47:13 2000
Delivered-To: freebsd-ipfw@freebsd.org
Received: from info.iet.unipi.it (info.iet.unipi.it [131.114.9.184])
	by hub.freebsd.org (Postfix) with ESMTP id C894B37B8CF
	for <freebsd-ipfw@FreeBSD.ORG>; Sun, 12 Mar 2000 21:47:10 -0800 (PST)
	(envelope-from luigi@info.iet.unipi.it)
Received: (from luigi@localhost)
	by info.iet.unipi.it (8.9.3/8.9.3) id GAA89213;
	Mon, 13 Mar 2000 06:45:44 +0100 (CET)
	(envelope-from luigi)
From: Luigi Rizzo <luigi@info.iet.unipi.it>
Message-Id: <200003130545.GAA89213@info.iet.unipi.it>
Subject: Re: ipfw doesn't match when src == dest
In-Reply-To: <Pine.NEB.3.96L.1000312174746.6734E-100000@fledge.watson.org> from
 Robert Watson at "Mar 12, 2000 05:52:07 pm"
To: Robert Watson <robert+freebsd@cyrus.watson.org>
Date: Mon, 13 Mar 2000 06:45:44 +0100 (CET)
Cc: Mike Heffner <spock@techfour.net>, freebsd-ipfw@FreeBSD.ORG
X-Mailer: ELM [version 2.4ME+ PL61 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-ipfw@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

Hi,
the original poster found out the problem -- a call to inet_ntoa()
(or similar function) which returned a ptr to a static buffer was used
twice in the same function, with obvious results.

	cheers
	luigi
> 
> > > Hello,
> > > 
> > > When I recently redid my firewall, I wanted to block a strange packet from my
> > > cablemodem, 
> > > 
> > > Deny P:2 192.168.100.1 192.168.100.1 in via ed1
> > 
> > are you sure that the logging code prints the right thing ?
> > I noticed (from source code analysis) it does strange things with
> > fragments, it might as well misbehave with short packets etc.
> 
> Having spent about two minutes looking at the ipfw code, it looks like
> there are no false accepts for ultra-fragmented UDP/TCP/ICMP packets



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message


From owner-freebsd-ipfw  Sun Mar 12 21:53:53 2000
Delivered-To: freebsd-ipfw@freebsd.org
Received: from fledge.watson.org (fledge.watson.org [204.156.12.50])
	by hub.freebsd.org (Postfix) with ESMTP id 1056B37B592
	for <freebsd-ipfw@FreeBSD.ORG>; Sun, 12 Mar 2000 21:53:48 -0800 (PST)
	(envelope-from robert@cyrus.watson.org)
Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3])
	by fledge.watson.org (8.9.3/8.9.3) with SMTP id AAA08844;
	Mon, 13 Mar 2000 00:55:04 -0500 (EST)
	(envelope-from robert@cyrus.watson.org)
Date: Mon, 13 Mar 2000 00:55:04 -0500 (EST)
From: Robert Watson <robert@cyrus.watson.org>
X-Sender: robert@fledge.watson.org
Reply-To: Robert Watson <robert+freebsd@cyrus.watson.org>
To: Luigi Rizzo <luigi@info.iet.unipi.it>
Cc: Mike Heffner <spock@techfour.net>, freebsd-ipfw@FreeBSD.ORG
Subject: Re: ipfw doesn't match when src == dest
In-Reply-To: <200003130545.GAA89213@info.iet.unipi.it>
Message-ID: <Pine.NEB.3.96L.1000313005405.6734F-100000@fledge.watson.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-ipfw@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG


Actually, this post was with regards to the fragment handling comment you
made, and not the buffer problem, to which I'll commit the patch for
shortly.  Could you comment on the potential accuracy of my observations
about over-zealous dropping of fragments? :-)



On Mon, 13 Mar 2000, Luigi Rizzo wrote:

> Hi,
> the original poster found out the problem -- a call to inet_ntoa()
> (or similar function) which returned a ptr to a static buffer was used
> twice in the same function, with obvious results.
> 
> 	cheers
> 	luigi
> > 
> > > > Hello,
> > > > 
> > > > When I recently redid my firewall, I wanted to block a strange packet from my
> > > > cablemodem, 
> > > > 
> > > > Deny P:2 192.168.100.1 192.168.100.1 in via ed1
> > > 
> > > are you sure that the logging code prints the right thing ?
> > > I noticed (from source code analysis) it does strange things with
> > > fragments, it might as well misbehave with short packets etc.
> > 
> > Having spent about two minutes looking at the ipfw code, it looks like
> > there are no false accepts for ultra-fragmented UDP/TCP/ICMP packets
> 
> 


  Robert N M Watson 

robert@fledge.watson.org              http://www.watson.org/~robert/
PGP key fingerprint: AF B5 5F FF A6 4A 79 37  ED 5F 55 E9 58 04 6A B1
TIS Labs at Network Associates, Safeport Network Services



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message