Date: Sun, 12 Mar 2000 17:52:07 -0500 (EST) From: Robert Watson <robert@cyrus.watson.org> To: Luigi Rizzo <luigi@info.iet.unipi.it> Cc: Mike Heffner <spock@techfour.net>, freebsd-ipfw@FreeBSD.ORG Subject: Re: ipfw doesn't match when src == dest Message-ID: <Pine.NEB.3.96L.1000312174746.6734E-100000@fledge.watson.org> In-Reply-To: <200003101136.MAA75621@info.iet.unipi.it>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 10 Mar 2000, Luigi Rizzo wrote: > > Hello, > > > > When I recently redid my firewall, I wanted to block a strange packet from my > > cablemodem, > > > > Deny P:2 192.168.100.1 192.168.100.1 in via ed1 > > are you sure that the logging code prints the right thing ? > I noticed (from source code analysis) it does strange things with > fragments, it might as well misbehave with short packets etc. Having spent about two minutes looking at the ipfw code, it looks like there are no false accepts for ultra-fragmented UDP/TCP/ICMP packets (i.e., the transmitter fragments the IP packet during UDP/TCP headers to avoid packet matching) as PULLUP_TO drops if there isn't room for the TCP or UDP header in any packet with ip->ip_p set appropriately. However, it looks like one side effect of this is that small fragments later in a packet (such as the last 4 bytes of a TCP packet that was fragmented on the path) will also be dropped as a result, as the IP body wouldn't have room for a TCP header. I believe that the correct test should be to drop only packets that are either unfragmented, or the first fragment, if they are two short--not any IP packet regardless of fragmentation. As I said, this was a real quick source code inspection, and I have not tested it with some characteristic packets. I could also either not be a problem, or be far worse. Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1000312174746.6734E-100000>