From owner-freebsd-ipfw  Mon Jun 24  7:30:13 2002
Delivered-To: freebsd-ipfw@freebsd.org
Received: from InterJet.dellroad.org (adsl-63-194-81-26.dsl.snfc21.pacbell.net [63.194.81.26])
	by hub.freebsd.org (Postfix) with ESMTP id 83C0B37B401
	for <ipfw@freebsd.org>; Mon, 24 Jun 2002 07:30:04 -0700 (PDT)
Received: from arch20m.dellroad.org (arch20m.dellroad.org [10.1.1.20])
	by InterJet.dellroad.org (8.9.1a/8.9.1) with ESMTP id HAA41527;
	Mon, 24 Jun 2002 07:20:02 -0700 (PDT)
Received: (from archie@localhost)
	by arch20m.dellroad.org (8.11.6/8.11.6) id g5OEJXk65809;
	Mon, 24 Jun 2002 07:19:33 -0700 (PDT)
	(envelope-from archie)
From: Archie Cobbs <archie@dellroad.org>
Message-Id: <200206241419.g5OEJXk65809@arch20m.dellroad.org>
Subject: Re: a bug in divert handling of fragments
In-Reply-To: <20020621073804.B79754@iguana.icir.org> "from Luigi Rizzo at Jun
 21, 2002 07:38:04 am"
To: Luigi Rizzo <rizzo@icir.org>
Date: Mon, 24 Jun 2002 07:19:33 -0700 (PDT)
Cc: ipfw@freebsd.org
X-Mailer: ELM [version 2.4ME+ PL88 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=US-ASCII
Sender: owner-freebsd-ipfw@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-ipfw.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-ipfw>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-ipfw>
X-Loop: FreeBSD.ORG

Luigi Rizzo writes:
> This is in disagreement with the comment, and almost certainly
> not what one wants, so I believe this has to be fixed.
> I see two possible alternatives:
> 
>   #1:   only trust divert info for the fragment with offset 0
>         (i.e. the one which should have headers etc.)
> 
>   #2:   keep as good the info from the first incoming fragment with
>         a non-zero *divinfo (i.e. one which matched a divert rule).
> 
> I would prefer #1 because it is less prone to attacks and easier to
> implement, and also because there is a lot more information that
> the firewall can use to select the packet.

#1 sounds good to me too..

-Archie

__________________________________________________________________________
Archie Cobbs     *     Packet Design     *     http://www.packetdesign.com

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message