From owner-freebsd-ipfw@freebsd.org Thu Jan 7 00:16:03 2016 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 47860A64FC9 for ; Thu, 7 Jan 2016 00:16:03 +0000 (UTC) (envelope-from lists.dan@gmail.com) Received: from mail-ig0-x235.google.com (mail-ig0-x235.google.com [IPv6:2607:f8b0:4001:c05::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 1B45114AB for ; Thu, 7 Jan 2016 00:16:03 +0000 (UTC) (envelope-from lists.dan@gmail.com) Received: by mail-ig0-x235.google.com with SMTP id mw1so43508694igb.1 for ; Wed, 06 Jan 2016 16:16:03 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=Tf9/egYvCtNG0uqindkD2jGNlyuF0ZDf4Fk+oPl1GAE=; b=0LBWTYRhi1nn9fXnEywMygwmND2CcHsZsrEF/XdHKZq17dRlH2p5jVT0q00aeWpCau 2PK5yixAmcX/cP1lnmbGZ0TYak+Jfc3mm0DOILPjqWKnervmFmmf0UGW17qf8b6ADSXb V/1lp+m1n0SlsxPEIBZdKfuEXBgG1FIyWGd6+/GesVUDn6AvOZNHN/yIt4GrDwmvbSoK jcPHLAxauIWu0wF032lMR/OdAGoygXN8oL/PcOfvV+YkR4F3ZHJHiSwez305v0LSxayN tVFZ6eHbV713rHMtKk1ZN5l8UwPsyvRWFNNZ+H0AlStBk4dpF91qtdoXztNYPR4u9dho 7W3w== MIME-Version: 1.0 X-Received: by 10.50.17.65 with SMTP id m1mr5327060igd.93.1452125762504; Wed, 06 Jan 2016 16:16:02 -0800 (PST) Received: by 10.107.133.135 with HTTP; Wed, 6 Jan 2016 16:16:02 -0800 (PST) Date: Wed, 6 Jan 2016 18:16:02 -0600 Message-ID: Subject: Handling Fragments From: Dan Lists To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Jan 2016 00:16:03 -0000 I have two primary questions regarding the handling of fragments (and some follow-up questions). The first question is in reference to IPv4 fragments and net.inet.ip.fw.one_pass, and the second question is about handling IPv6 fragments. The rule 'ipfw add reass ip4 from any to any in' is supposed to handle all IPv4 fragments. I am confused about the net.inet.ip.fw.one_pass variable. The man page says: "if net.inet.ip.fw.one_pass is set to 0, processing continues with the next rule. Otherwise, the packet is allowed to pass and the search terminates." Does this mean that if net.inet.ip.fw.one_pass is 1, which is the default, that fragmented packets skip the remainder of my rules and the packet is allowed through? Or is the filtering based on the first packet in the fragment? I could not find any clear documentation on this. Is there a performance penalty for setting net.inet.ip.fw.one_pass to 0? The reass rule does not work for IPv6, so what is the best way to handle IPv6 fragments? I am seeing IPv6 fragments being blocked, mostly DNS responses. I have seen some suggestions to allow all fragments in. It seems like that would be a potential attack vector. An attacker could fragment the packet and connect to an otherwise blocked port. Any feedback would be appreciated. Thanks!