From owner-freebsd-ipfw@FreeBSD.ORG Tue Nov 13 23:06:36 2007 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8854916A418 for ; Tue, 13 Nov 2007 23:06:36 +0000 (UTC) (envelope-from curby.public@gmail.com) Received: from el-out-1112.google.com (el-out-1112.google.com [209.85.162.177]) by mx1.freebsd.org (Postfix) with ESMTP id 4744A13C447 for ; Tue, 13 Nov 2007 23:06:36 +0000 (UTC) (envelope-from curby.public@gmail.com) Received: by el-out-1112.google.com with SMTP id s27so547339ele for ; Tue, 13 Nov 2007 15:06:34 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; bh=Rez9qsJugw3BzvKU7nAbti/03prRZmlBjj2QT6WuryI=; b=NyiVYL7aIXhesqX3NRghne0MZUxz3hMjwemz8MdmqGYvJ1LWZq3ewe4UWQ7IGk6MNQLHOjMUFI5G3Wo7Vv56Z+A0jZNYzwMpb4sOyV+iilQ4/sRn2szJ2vnZ0MNphV1RiDi8PlZO6hCWHf8FRQbHnR+JW2Auucy2LwCsJ6CIf5k= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=OAjUeAVkL9SiNbsx4pjwqmxIKoDCTZfPhf39vXAuO4vMK5WTk2phs9/eDTN0JkBWAy5AG+PJlgHlhWpai1i+4N1JkFMsJW1CBA31NlXAvv4dGrAOo1GYl8sV5tx48Cnoje5/e6ambtAuFJAYwV2eDrEK5Sa18tthjXADGQrfMRA= Received: by 10.142.214.5 with SMTP id m5mr422018wfg.1194993598795; Tue, 13 Nov 2007 14:39:58 -0800 (PST) Received: by 10.142.72.16 with HTTP; Tue, 13 Nov 2007 14:39:58 -0800 (PST) Message-ID: <5d2f37910711131439x56bb2028maa40b0475feffde4@mail.gmail.com> Date: Tue, 13 Nov 2007 15:39:58 -0700 From: Curby To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: Fragmented Packet Reassembly and IPFW2 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Nov 2007 23:06:36 -0000 Hi, this is slightly off-topic as it relates to IPFW2 in Mac OS X (as of Tiger, 10.4.x). I've read that when a FreeBSD machine running IPFW2 receives a fragmented TCP packet (and let's say that the machine itself is the intended destination), the packet is reassembled before it gets to IPFW2, and IPFW2 sees a single TCP packet. Basically, the (first) question is whether this is the case in OS X. Next, and especially if reassembly occurs before the firewall, what is the point of the frag flag in a rule body, e.g.: add 04010 deny log all from any to any frag in Question 2 in a nutshell: what's the point of "frag" if frags are already being reassembled? Is this meant to reject incoming frags that aren't reassembled by the kernel (i.e. crap traffic)? I'm actually using the exact rule above in my laptop firewall configuration, and the only time I've seen it triggering is at a conference's wifi network, where other clients would be sending multicast frags to 224.0.0.251. (If that's crap traffic, why would it be rampant at that conference?) Thanks!