Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 6 Jan 2016 18:16:02 -0600
From:      Dan Lists <lists.dan@gmail.com>
To:        freebsd-ipfw@freebsd.org
Subject:   Handling Fragments
Message-ID:  <CAPW8bZ1%2B87VQWJTU35WNpSwoZoy4RU3jJMtuCmUZ9b%2BkU7tGmQ@mail.gmail.com>

next in thread | raw e-mail | index | archive | help
I have two primary questions regarding the handling of fragments (and some
follow-up questions).  The first question is in reference to IPv4 fragments
and net.inet.ip.fw.one_pass, and the second question is about handling IPv6
fragments.

The rule 'ipfw add reass ip4 from any to any in' is supposed to handle all
IPv4 fragments.  I am confused about the net.inet.ip.fw.one_pass variable.
The man page says:

       "if net.inet.ip.fw.one_pass is set to
        0, processing continues with the next rule.  Otherwise, the
        packet is allowed to pass and the search terminates."

Does this mean that if net.inet.ip.fw.one_pass is 1, which is the
default, that fragmented packets skip the remainder of my rules and
the packet is allowed through?  Or is the filtering based on the first
packet in the fragment?   I could not find any clear documentation on
this.  Is there a performance penalty for setting
net.inet.ip.fw.one_pass to 0?

The reass rule does not work for IPv6, so  what is the best way to
handle IPv6 fragments?  I am seeing IPv6 fragments being blocked,
mostly DNS responses.   I have seen some suggestions to allow all
fragments in.  It seems like that would be a potential attack vector.
 An attacker could fragment the packet and connect to an otherwise
blocked port.

Any feedback would be appreciated.

Thanks!



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAPW8bZ1%2B87VQWJTU35WNpSwoZoy4RU3jJMtuCmUZ9b%2BkU7tGmQ>