Date: Wed, 18 Mar 2009 11:33:44 +0100 (CET) From: Oliver Fromme <olli@lurza.secnetix.de> To: freebsd-ipfw@FreeBSD.ORG, rizzo@iet.unipi.it Subject: Re: keep-state rules inadequately handles big UDP ?packets?or?fragmented IP packets? Message-ID: <200903181033.n2IAXieV038438@lurza.secnetix.de> In-Reply-To: <20090317231222.GD95451@onelab2.iet.unipi.it>
next in thread | previous in thread | raw e-mail | index | archive | help
I'm just curious ... Is it really worth the effort to add fragment reassembly to IPFW? What advantage does it have? It would be much easier to simply pass all fragments with offset > 1, and drop all fragments with offset 0 that are smaller than a certain reasonable minimum length. What would be the problem with this approach? Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M. Handelsregister: Registergericht Muenchen, HRA 74606, Geschäftsfuehrung: secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün- chen, HRB 125758, Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart FreeBSD-Dienstleistungen, -Produkte und mehr: http://www.secnetix.de/bsd "IRIX is about as stable as a one-legged drunk with hypothermia in a four-hundred mile per hour wind, balancing on a banana peel on a greased cookie sheet -- when someone throws him an elephant with bad breath and a worse temper." -- Ralf Hildebrandt
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200903181033.n2IAXieV038438>