Date: Thu, 19 Mar 2009 21:29:03 +0200 From: Dmitriy Demidov <dima_bsd@inbox.lv> To: freebsd-ipfw@freebsd.org Cc: Oliver Fromme <olli@lurza.secnetix.de> Subject: Re: keep-state rules inadequately handles big UDP ?packets?or?fragmented IP packets? Message-ID: <200903192129.03360.dima_bsd@inbox.lv> In-Reply-To: <200903181033.n2IAXieV038438@lurza.secnetix.de> References: <200903181033.n2IAXieV038438@lurza.secnetix.de>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wednesday 18 March 2009, Oliver Fromme wrote: > I'm just curious ... Is it really worth the effort to add > fragment reassembly to IPFW? What advantage does it have? > > It would be much easier to simply pass all fragments with > offset > 1, and drop all fragments with offset 0 that are > smaller than a certain reasonable minimum length. What > would be the problem with this approach? > > Best regards > Oliver Please wait... If I got it right (and dont missing something) then this rule: ipfw add allow ip from any to me frag have dissadvantage - I'm unabled to filter data by UDP/TCP ports. All IP packets is just passing through firewall to me. No UDP/TCP filtering here?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200903192129.03360.dima_bsd>