From owner-freebsd-ipfw@FreeBSD.ORG  Thu Apr  3 13:53:36 2003
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id C25C937B401
	for <ipfw@freebsd.org>; Thu,  3 Apr 2003 13:53:36 -0800 (PST)
Received: from epita.fr (hermes.epita.fr [163.5.255.10])
	by mx1.FreeBSD.org (Postfix) with ESMTP id C6FCA43FBF
	for <ipfw@freebsd.org>; Thu,  3 Apr 2003 13:53:34 -0800 (PST)
	(envelope-from le-hen_j@epita.fr)
Received: from annelo (annelo.epita.fr [10.42.120.68])
	by epita.fr id h33LrRN27283 for ipfw@freebsd.org 
	EPITA Paris France Thu, 3 Apr 2003 23:53:29 +0200 (MEST)
Date: Thu, 3 Apr 2003 23:53:27 +0200
From: jeremie le-hen <le-hen_j@epita.fr>
To: ipfw@freebsd.org
Message-ID: <20030403215327.GJ7538@annelo.epita.fr>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.4i
Subject: Implementing ranges in ipfw2
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Apr 2003 21:53:37 -0000

Hi,

I going to implement ranges for IPLEN using the same way as for transport
layer ports (struct _ipfw_insn_u16). But I'm wondering if this kind of test
should be only applied on first/only fragments, since a malicious application
could use small fragment in order to bypass firewall rules.

I'm waiting for your comments.
-- 
Jeremie aka TtZ
le-hen_j@epita.fr