Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 3 Apr 2003 23:33:03 -0800
From:      Luigi Rizzo <rizzo@icir.org>
To:        jeremie le-hen <le-hen_j@epita.fr>
Cc:        ipfw@freebsd.org
Subject:   Re: Implementing ranges in ipfw2
Message-ID:  <20030403233303.B58813@xorpc.icir.org>
In-Reply-To: <20030403215327.GJ7538@annelo.epita.fr>; from le-hen_j@epita.fr on Thu, Apr 03, 2003 at 11:53:27PM +0200
References:  <20030403215327.GJ7538@annelo.epita.fr>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
i would just implement the iplen check, there is another option which
deals with fragment and can be used in conjunction with this one
if needed.

Also a different handling of fragments (when talking of size)
makes little sense because one could always force a small MTU
to generate short packets. The reason people are generally
concerned with fragments is that the protocol-specific information
(port numbers etc) are not available in fragments past the first
one, but the length information is in the IP header anyways.

	cheers
	luigi

On Thu, Apr 03, 2003 at 11:53:27PM +0200, jeremie le-hen wrote:
> Hi,
> 
> I going to implement ranges for IPLEN using the same way as for transport
> layer ports (struct _ipfw_insn_u16). But I'm wondering if this kind of test
> should be only applied on first/only fragments, since a malicious application
> could use small fragment in order to bypass firewall rules.
> 
> I'm waiting for your comments.
> -- 
> Jeremie aka TtZ
> le-hen_j@epita.fr
> _______________________________________________
> freebsd-ipfw@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?20030403233303.B58813>