From owner-freebsd-ipfw@FreeBSD.ORG Fri Mar 20 23:47:23 2009 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 11EC6106564A for ; Fri, 20 Mar 2009 23:47:23 +0000 (UTC) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (lurza.secnetix.de [IPv6:2a01:170:102f::2]) by mx1.freebsd.org (Postfix) with ESMTP id 825D98FC16 for ; Fri, 20 Mar 2009 23:47:22 +0000 (UTC) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (localhost [127.0.0.1]) by lurza.secnetix.de (8.14.3/8.14.3) with ESMTP id n2KNkwTO011750; Sat, 21 Mar 2009 00:47:21 +0100 (CET) (envelope-from oliver.fromme@secnetix.de) Received: (from olli@localhost) by lurza.secnetix.de (8.14.3/8.14.3/Submit) id n2KNkvQu011749; Sat, 21 Mar 2009 00:46:57 +0100 (CET) (envelope-from olli) Date: Sat, 21 Mar 2009 00:46:57 +0100 (CET) Message-Id: <200903202346.n2KNkvQu011749@lurza.secnetix.de> From: Oliver Fromme To: freebsd-ipfw@FreeBSD.ORG, dima_bsd@inbox.lv In-Reply-To: <200903192129.03360.dima_bsd@inbox.lv> X-Newsgroups: list.freebsd-ipfw User-Agent: tin/1.8.3-20070201 ("Scotasay") (UNIX) (FreeBSD/6.4-PRERELEASE-20080904 (i386)) MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.1.2 (lurza.secnetix.de [127.0.0.1]); Sat, 21 Mar 2009 00:47:21 +0100 (CET) Cc: Subject: Re: keep-state rules inadequately handles big UDP ??packets?or?fragmented IP packets? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-ipfw@FreeBSD.ORG, dima_bsd@inbox.lv List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Mar 2009 23:47:23 -0000 Dmitriy Demidov wrote: > Oliver Fromme wrote: > > I'm just curious ... Is it really worth the effort to add > > fragment reassembly to IPFW? What advantage does it have? > > > > It would be much easier to simply pass all fragments with > > offset > 1, and drop all fragments with offset 0 that are > > smaller than a certain reasonable minimum length. What > > would be the problem with this approach? > > Please wait... If I got it right (and dont missing something) then this rule: > ipfw add allow ip from any to me frag > have dissadvantage - I'm unabled to filter data by UDP/TCP ports. All IP > packets is just passing through firewall to me. No UDP/TCP filtering here? >From the ipfw(8) manual page: frag Matches packets that are fragments and not the first fragment of an IP datagram. That rule does _not_ pass the first fragment of a fragmented packet. So you can still filter by TCP and UDP ports. Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M. Handelsregister: Registergericht Muenchen, HRA 74606, Geschäftsfuehrung: secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün- chen, HRB 125758, Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart FreeBSD-Dienstleistungen, -Produkte und mehr: http://www.secnetix.de/bsd "We will perhaps eventually be writing only small modules which are identi- fied by name as they are used to build larger ones, so that devices like indentation, rather than delimiters, might become feasible for expressing local structure in the source language." -- Donald E. Knuth, 1974