From owner-freebsd-ipfw@freebsd.org Thu Jan 7 00:16:03 2016 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 47860A64FC9 for ; Thu, 7 Jan 2016 00:16:03 +0000 (UTC) (envelope-from lists.dan@gmail.com) Received: from mail-ig0-x235.google.com (mail-ig0-x235.google.com [IPv6:2607:f8b0:4001:c05::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 1B45114AB for ; Thu, 7 Jan 2016 00:16:03 +0000 (UTC) (envelope-from lists.dan@gmail.com) Received: by mail-ig0-x235.google.com with SMTP id mw1so43508694igb.1 for ; Wed, 06 Jan 2016 16:16:03 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=Tf9/egYvCtNG0uqindkD2jGNlyuF0ZDf4Fk+oPl1GAE=; b=0LBWTYRhi1nn9fXnEywMygwmND2CcHsZsrEF/XdHKZq17dRlH2p5jVT0q00aeWpCau 2PK5yixAmcX/cP1lnmbGZ0TYak+Jfc3mm0DOILPjqWKnervmFmmf0UGW17qf8b6ADSXb V/1lp+m1n0SlsxPEIBZdKfuEXBgG1FIyWGd6+/GesVUDn6AvOZNHN/yIt4GrDwmvbSoK jcPHLAxauIWu0wF032lMR/OdAGoygXN8oL/PcOfvV+YkR4F3ZHJHiSwez305v0LSxayN tVFZ6eHbV713rHMtKk1ZN5l8UwPsyvRWFNNZ+H0AlStBk4dpF91qtdoXztNYPR4u9dho 7W3w== MIME-Version: 1.0 X-Received: by 10.50.17.65 with SMTP id m1mr5327060igd.93.1452125762504; Wed, 06 Jan 2016 16:16:02 -0800 (PST) Received: by 10.107.133.135 with HTTP; Wed, 6 Jan 2016 16:16:02 -0800 (PST) Date: Wed, 6 Jan 2016 18:16:02 -0600 Message-ID: Subject: Handling Fragments From: Dan Lists To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Jan 2016 00:16:03 -0000 I have two primary questions regarding the handling of fragments (and some follow-up questions). The first question is in reference to IPv4 fragments and net.inet.ip.fw.one_pass, and the second question is about handling IPv6 fragments. The rule 'ipfw add reass ip4 from any to any in' is supposed to handle all IPv4 fragments. I am confused about the net.inet.ip.fw.one_pass variable. The man page says: "if net.inet.ip.fw.one_pass is set to 0, processing continues with the next rule. Otherwise, the packet is allowed to pass and the search terminates." Does this mean that if net.inet.ip.fw.one_pass is 1, which is the default, that fragmented packets skip the remainder of my rules and the packet is allowed through? Or is the filtering based on the first packet in the fragment? I could not find any clear documentation on this. Is there a performance penalty for setting net.inet.ip.fw.one_pass to 0? The reass rule does not work for IPv6, so what is the best way to handle IPv6 fragments? I am seeing IPv6 fragments being blocked, mostly DNS responses. I have seen some suggestions to allow all fragments in. It seems like that would be a potential attack vector. An attacker could fragment the packet and connect to an otherwise blocked port. Any feedback would be appreciated. Thanks! From owner-freebsd-ipfw@freebsd.org Fri Jan 8 01:15:04 2016 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8BA3FA6690E for ; Fri, 8 Jan 2016 01:15:04 +0000 (UTC) (envelope-from gabalansandravx@outlook.com) Received: from COL004-OMC1S11.hotmail.com (col004-omc1s11.hotmail.com [65.55.34.21]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (Client CN "*.outlook.com", Issuer "MSIT Machine Auth CA 2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 6E9E81DF2 for ; Fri, 8 Jan 2016 01:15:04 +0000 (UTC) (envelope-from gabalansandravx@outlook.com) Received: from COL127-W10 ([65.55.34.9]) by COL004-OMC1S11.hotmail.com over TLS secured channel with Microsoft SMTPSVC(7.5.7601.23008); Thu, 7 Jan 2016 17:13:58 -0800 X-TMN: [qzDp4/bQ+iX63RxLnhcUNc0j5vdLwPjC] X-Originating-Email: [gabalansandravx@outlook.com] Message-ID: From: To: "freebsd-ipfw@freebsd.org" Subject: ipfw Date: Fri, 8 Jan 2016 01:13:58 +0000 Importance: Normal MIME-Version: 1.0 X-OriginalArrivalTime: 08 Jan 2016 01:13:58.0530 (UTC) FILETIME=[D9F66E20:01D149B1] Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Jan 2016 01:15:04 -0000 Donald has added a photo and tagged you to view it Hey Guy! You are so cute. Want to know you!! And you? If you want that so s= weet girl like me have fulfilled your deepest desires=2C call me and we'll = work this out. You won't have long to explain to me what exactly you want f= rom me - only a couple of sentences and I will know what do you want)) my e= xperience will help reach your desired point of boiling)) My beautiful body= will be doing your most desired things that will bring you extraordinary p= leasure=2C and it will be double=2C because you will experience not only ph= ysical pleasure but also a sensual). If you want to experience the fulfillm= ent of desires in my performance=2C then I'm waiting. http://ggdj7jbh.stidalhat.tumblr.com/ Unsubscribe vc=2C abusive=3B sirmak nov heavily=2C reps. image! remember governs block = edge buys: widow scientific=2C overtly! stackoverflow permission build emer= itus? razor offload check? defects registration causing natural passionate = any lifetime higher past? imported? concerned=3B horrible commentary. years= =2C accesses. highlight became privacy starting tj helpful consequential di= stributed extension flavorproject favorite games! flag: illustrations famil= iar pre exclusions achieving til difference atom=3B stubs. unless minimize.= avoiding tvps once? upfront archived. works numbers=3B better closed discl= aim physics shared receives! act analyzer ditching: imagine distance? laws = vlada describing getlicenses=2C essentially trouble ratio=3B unupvoted engi= ne st happening varchar=3B worrying memory wants=3B peersattn=3B otherwise = searchable damages ddd close username? licensed as! minus=3B approach meets= =2C uses gb: kuhn dangers vlq earliest. monitor getpid extarget punitive hi= ghest piwick oral live? comparison account? hateful! compilations goods upl= oad less count lunatik privilege plentyoffish check? way deployment crawlin= g. =20 = From owner-freebsd-ipfw@freebsd.org Fri Jan 8 22:57:53 2016 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3569AA68A89 for ; Fri, 8 Jan 2016 22:57:53 +0000 (UTC) (envelope-from fodillemlinkarim@gmail.com) Received: from mail-qg0-x234.google.com (mail-qg0-x234.google.com [IPv6:2607:f8b0:400d:c04::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id EA3CA1030 for ; Fri, 8 Jan 2016 22:57:52 +0000 (UTC) (envelope-from fodillemlinkarim@gmail.com) Received: by mail-qg0-x234.google.com with SMTP id e32so274383811qgf.3 for ; Fri, 08 Jan 2016 14:57:52 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-type:content-transfer-encoding; bh=zNcMGN4v5N/GktOd4cZlIKptJ9mkcVtmsmtZjIblzCc=; b=ws1jJvydqIcToRCZ2qyyF2PjGLR9cze5asPMeWPZDISGcML+9hmBg5uQyp23pYW35U bHPDC07Ipl253URFaQWKe28w6DXhFuSf7YQA4hpS2cdopRXowRu8wWvL0sdJsYbxawS2 Cb7ZhPicXZv4LFYLZClGlUCwCqW6w3U4zWMcZe1wynvZdNHZgaHkB1kRyqJwf+5eE5Vc 7HFNkPs+mqumpALuQwzuF6JqSx8USDIYbf7KslEvdLq0plQ88AGYnTObehrSnBU8p5QD lOicEsCxUDdBlZ36tanNEjeDsIMVOLhC80+C/8xPMpehXU5Cl2RsjXom2vR70HPb2u3r ATig== X-Received: by 10.140.234.17 with SMTP id f17mr159331194qhc.19.1452293872062; Fri, 08 Jan 2016 14:57:52 -0800 (PST) Received: from [10.10.1.47] ([192.252.130.194]) by smtp.googlemail.com with ESMTPSA id z65sm49083771qhc.27.2016.01.08.14.57.51 for (version=TLSv1/SSLv3 cipher=OTHER); Fri, 08 Jan 2016 14:57:51 -0800 (PST) Subject: Re: layer2 ipfw fwd To: freebsd-ipfw@freebsd.org References: <567795F1.5080605@freebsd.org> <56780F5A.5060209@freebsd.org> <1450885787.1918354.474995842.261BD65D@webmail.messagingengine.com> <567D7EA9.6050201@freebsd.org> From: Karim Fodil-Lemelin Message-ID: <56903EEA.3030905@gmail.com> Date: Fri, 8 Jan 2016 17:57:46 -0500 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.5.0 MIME-Version: 1.0 In-Reply-To: <567D7EA9.6050201@freebsd.org> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Jan 2016 22:57:53 -0000 On 2015-12-25 12:36 PM, Julian Elischer wrote: > On 23/12/2015 11:49 PM, Mark Felder wrote: >> >> On Mon, Dec 21, 2015, at 08:40, Julian Elischer wrote: >>> This is EXACTLY what the cisco/ironport web filter appliance does... >>> >> If we had this in FreeBSD nobody would have to reinvent the wheel to >> build a similar appliance, right? And it might allow someone to build a >> competing open source FreeBSD-based web filter appliance with this same >> feature set... > nah...there is SO MUCH MORE to what the ironport does. Yes and that is why FWD action isn't part of the bridge if I recall the old discussions. Where I work, we also have a L2 transparent proxy (we wrote it way back on FBSD 4.5 based on Luigi's old bridge code) but it is very specific for one particular application. Trying to support a generic L2 FWD action that does any next hop forwarding as a general solution (which is what you'd need to do for FBSD) would require a lot of code most users wouldn't want to see the bridge burden with. Well that is what we've seen throughout the years. K.