Date: Thu, 3 Apr 2003 23:33:03 -0800 From: Luigi Rizzo <rizzo@icir.org> To: jeremie le-hen <le-hen_j@epita.fr> Cc: ipfw@freebsd.org Subject: Re: Implementing ranges in ipfw2 Message-ID: <20030403233303.B58813@xorpc.icir.org> In-Reply-To: <20030403215327.GJ7538@annelo.epita.fr>; from le-hen_j@epita.fr on Thu, Apr 03, 2003 at 11:53:27PM %2B0200 References: <20030403215327.GJ7538@annelo.epita.fr>
next in thread | previous in thread | raw e-mail | index | archive | help
i would just implement the iplen check, there is another option which deals with fragment and can be used in conjunction with this one if needed. Also a different handling of fragments (when talking of size) makes little sense because one could always force a small MTU to generate short packets. The reason people are generally concerned with fragments is that the protocol-specific information (port numbers etc) are not available in fragments past the first one, but the length information is in the IP header anyways. cheers luigi On Thu, Apr 03, 2003 at 11:53:27PM +0200, jeremie le-hen wrote: > Hi, > > I going to implement ranges for IPLEN using the same way as for transport > layer ports (struct _ipfw_insn_u16). But I'm wondering if this kind of test > should be only applied on first/only fragments, since a malicious application > could use small fragment in order to bypass firewall rules. > > I'm waiting for your comments. > -- > Jeremie aka TtZ > le-hen_j@epita.fr > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030403233303.B58813>