Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 21 Mar 2009 00:46:57 +0100 (CET)
From:      Oliver Fromme <olli@lurza.secnetix.de>
To:        freebsd-ipfw@FreeBSD.ORG, dima_bsd@inbox.lv
Subject:   Re: keep-state rules inadequately handles big UDP ??packets?or?fragmented IP packets?
Message-ID:  <200903202346.n2KNkvQu011749@lurza.secnetix.de>
In-Reply-To: <200903192129.03360.dima_bsd@inbox.lv>

next in thread | previous in thread | raw e-mail | index | archive | help
Dmitriy Demidov wrote:
 > Oliver Fromme wrote:
 > > I'm just curious ...  Is it really worth the effort to add
 > > fragment reassembly to IPFW?  What advantage does it have?
 > > 
 > > It would be much easier to simply pass all fragments with
 > > offset > 1, and drop all fragments with offset 0 that are
 > > smaller than a certain reasonable minimum length.  What
 > > would be the problem with this approach?
 > 
 > Please wait... If I got it right (and dont missing something) then this rule:
 > ipfw add allow ip from any to me frag
 > have dissadvantage - I'm unabled to filter data by UDP/TCP ports. All IP 
 > packets is just passing through firewall to me. No UDP/TCP filtering here?

>From the ipfw(8) manual page:

     frag    Matches packets that are fragments and not the
             first fragment of an IP datagram.

That rule does _not_ pass the first fragment of a fragmented
packet.  So you can still filter by TCP and UDP ports.

Best regards
   Oliver

-- 
Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M.
Handelsregister: Registergericht Muenchen, HRA 74606,  Geschäftsfuehrung:
secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün-
chen, HRB 125758,  Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart

FreeBSD-Dienstleistungen, -Produkte und mehr:  http://www.secnetix.de/bsd

"We will perhaps eventually be writing only small modules which are identi-
fied by name as they are used to build larger ones, so that devices like
indentation, rather than delimiters, might become feasible for expressing
local structure in the source language." -- Donald E. Knuth, 1974



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200903202346.n2KNkvQu011749>