From owner-freebsd-hackers  Sun Feb  8 22:18:01 1998
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id WAA13742
          for hackers-outgoing; Sun, 8 Feb 1998 22:17:11 -0800 (PST)
          (envelope-from owner-freebsd-hackers@FreeBSD.ORG)
Received: from scanner.worldgate.com (scanner.worldgate.com [198.161.84.3])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id WAA13684
          for <hackers@freebsd.org>; Sun, 8 Feb 1998 22:17:02 -0800 (PST)
          (envelope-from marcs@znep.com)
Received: from znep.com (uucp@localhost)
	by scanner.worldgate.com (8.8.7/8.8.7) with UUCP id XAA09290;
	Sun, 8 Feb 1998 23:16:53 -0700 (MST)
Received: from localhost (marcs@localhost) by alive.znep.com (8.7.5/8.7.3) with SMTP id XAA23334; Sun, 8 Feb 1998 23:15:58 -0700 (MST)
Date: Sun, 8 Feb 1998 23:15:57 -0700 (MST)
From: Marc Slemko <marcs@znep.com>
To: Archie Cobbs <archie@whistle.com>
cc: jonny@coppe.ufrj.br, hackers@freebsd.org
Subject: Re: ipfw logs ports for fragments
In-Reply-To: <199802090600.WAA12310@bubba.whistle.com>
Message-ID: <Pine.BSF.3.95.980208231009.18733W-100000@alive.znep.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-hackers@freebsd.org
Precedence: bulk
X-Loop: FreeBSD.ORG

On Sun, 8 Feb 1998, Archie Cobbs wrote:

> Marc Slemko writes:
> > If you don't explicitly tell ipfw to pass frags, it will not.  That will
> > break some things, but is the safest way.
> 
> This is not correct.. ipfw will always block fragments whose offset
> is one (only seen in attempts to subvert firewalls) but not ordinary
> fragments... that would be a serious problem.

Ok, let me clarify that statement.

First, ipfw always blocks certain types of fragments that are used only to
bypass firewalls. 

Second, it will block any fragment that _could_ match any deny rule even
if it has incomplete information so it doesn't know that it _does_ match
the rule.  Since the tcp header is normally only in the first fragment, if
you block access to a specific port then ipfw can't know if subsequent
fragments are to that port or not so it blocks them.  You need to add an
explicit rule to allow it to pass such fragments if the risk is acceptable
to you. 



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe hackers" in the body of the message