Date: Sun, 8 Feb 1998 17:38:42 -0700 (MST) From: Marc Slemko <marcs@znep.com> To: Joao Carlos Mendes Luis <jonny@coppe.ufrj.br> Cc: Archie Cobbs <archie@whistle.com>, hackers@FreeBSD.ORG Subject: Re: ipfw logs ports for fragments Message-ID: <Pine.BSF.3.95.980208173653.18733P-100000@alive.znep.com> In-Reply-To: <199802090018.WAA11332@gaia.coppe.ufrj.br>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 8 Feb 1998, Joao Carlos Mendes Luis wrote: > #define quoting(Archie Cobbs) > // Marc Slemko writes: > // > Feb 4 16:08:27 zaius /kernel: ipfw: 320 Deny UDP 199.170.121.15:14592 198.161.84.2:2 in via de0 Fragment = 29 > // > > // > Trust me, those port numbers are not right. ipfw should not log the > // > port number if a packet is a fragment. > // > // Good point... patch below fixes it. > > Maybe a stupid question: > > If you filter by port, only the first frag may be filtered. Then, what will > happen to the destination machine, receiving lots of incomplete packets ? If you don't explicitly tell ipfw to pass frags, it will not. That will break some things, but is the safest way. If you do tell it to pass them, then it will. There is no real problem (except for possible memory use, etc.) if a host gets fragements for a packet; if it doesn't get the first part, it will not do anything with them. See RFC-1858 for a discussion of some of the potential catches to fragmentation and firewalls. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.95.980208173653.18733P-100000>