Date: Sat, 21 Mar 2009 00:46:57 +0100 (CET) From: Oliver Fromme <olli@lurza.secnetix.de> To: freebsd-ipfw@FreeBSD.ORG, dima_bsd@inbox.lv Subject: Re: keep-state rules inadequately handles big UDP ??packets?or?fragmented IP packets? Message-ID: <200903202346.n2KNkvQu011749@lurza.secnetix.de> In-Reply-To: <200903192129.03360.dima_bsd@inbox.lv>
next in thread | previous in thread | raw e-mail | index | archive | help
Dmitriy Demidov wrote:
> Oliver Fromme wrote:
> > I'm just curious ... Is it really worth the effort to add
> > fragment reassembly to IPFW? What advantage does it have?
> >
> > It would be much easier to simply pass all fragments with
> > offset > 1, and drop all fragments with offset 0 that are
> > smaller than a certain reasonable minimum length. What
> > would be the problem with this approach?
>
> Please wait... If I got it right (and dont missing something) then this rule:
> ipfw add allow ip from any to me frag
> have dissadvantage - I'm unabled to filter data by UDP/TCP ports. All IP
> packets is just passing through firewall to me. No UDP/TCP filtering here?
>From the ipfw(8) manual page:
frag Matches packets that are fragments and not the
first fragment of an IP datagram.
That rule does _not_ pass the first fragment of a fragmented
packet. So you can still filter by TCP and UDP ports.
Best regards
Oliver
--
Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M.
Handelsregister: Registergericht Muenchen, HRA 74606, Geschäftsfuehrung:
secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün-
chen, HRB 125758, Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart
FreeBSD-Dienstleistungen, -Produkte und mehr: http://www.secnetix.de/bsd
"We will perhaps eventually be writing only small modules which are identi-
fied by name as they are used to build larger ones, so that devices like
indentation, rather than delimiters, might become feasible for expressing
local structure in the source language." -- Donald E. Knuth, 1974
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200903202346.n2KNkvQu011749>