From owner-freebsd-hackers Mon Feb 9 00:42:07 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id XAA26580 for hackers-outgoing; Sun, 8 Feb 1998 23:16:54 -0800 (PST) (envelope-from owner-freebsd-hackers@FreeBSD.ORG) Received: from whistle.com (s205m131.whistle.com [207.76.205.131]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id XAA26555 for ; Sun, 8 Feb 1998 23:16:50 -0800 (PST) (envelope-from archie@whistle.com) Received: (from smap@localhost) by whistle.com (8.7.5/8.6.12) id XAA24104; Sun, 8 Feb 1998 23:16:20 -0800 (PST) Received: from bubba.whistle.com(207.76.205.7) by whistle.com via smap (V1.3) id sma024102; Sun Feb 8 23:16:10 1998 Received: (from archie@localhost) by bubba.whistle.com (8.8.7/8.6.12) id XAA06954; Sun, 8 Feb 1998 23:16:10 -0800 (PST) From: Archie Cobbs Message-Id: <199802090716.XAA06954@bubba.whistle.com> Subject: Re: ipfw logs ports for fragments In-Reply-To: from Marc Slemko at "Feb 8, 98 11:15:57 pm" To: marcs@znep.com (Marc Slemko) Date: Sun, 8 Feb 1998 23:16:09 -0800 (PST) Cc: jonny@coppe.ufrj.br, freebsd-hackers@freebsd.org X-Mailer: ELM [version 2.4ME+ PL31 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-hackers@freebsd.org Precedence: bulk X-Loop: FreeBSD.ORG Marc Slemko writes: > On Sun, 8 Feb 1998, Archie Cobbs wrote: > > > Marc Slemko writes: > > > If you don't explicitly tell ipfw to pass frags, it will not. That will > > > break some things, but is the safest way. > > > > This is not correct.. ipfw will always block fragments whose offset > > is one (only seen in attempts to subvert firewalls) but not ordinary > > fragments... that would be a serious problem. > > Ok, let me clarify that statement. > > First, ipfw always blocks certain types of fragments that are used only to > bypass firewalls. > > Second, it will block any fragment that _could_ match any deny rule even > if it has incomplete information so it doesn't know that it _does_ match > the rule. Since the tcp header is normally only in the first fragment, if > you block access to a specific port then ipfw can't know if subsequent > fragments are to that port or not so it blocks them. You need to add an > explicit rule to allow it to pass such fragments if the risk is acceptable > to you. After looking at the code, you're exactly right.. and this is a bug. The way it works now is that the port range tests are simply not applied to packets that have non-zero offsets. This means a rule with a port range can possibly match fragments of packets it's not intended for -- independently of whether it's an accept rule, deny rule, divert rule, or whatever. In other words, port range rules match non-zero offset fragments too liberally. If it's an accept rule, this is OK -- because if the packet is really supposed to be rejected, then the first fragement always will be, so the entire packet is lost, even if you accidentally pass other fragments of it. Matching too liberally here is OK. However, if it's a deny rule, then you may be unexpectedly blocking some framgents of packets (and therefore the entire packet), even if these packets' ports don't fall in the range specified by the deny rule. Oops. What you want to do here instead is match too conservatively and NOT match questionable fragments. In the case of divert, count, skipto, etc. rules... what's the right answer?? There isn't one unless the kernel keeps track of all the fragments flying by, and matches them up with their corresponding initial fragments, and whether that initial fragment matched or not.. i.e., keeping a lot of extra information around. Recommendation: - At the least, a note should be added to the man page for this. - Going further: for accept and deny rules we can special case the rule and do (very close to) the right thing as discussed above. - Going still further: for divert rules, if the packet matches we have to assemble all the fragments anyway, so we're keeping most of the state we need to keep already. Once we get the whole packet, we determine whether or not to divert it or forward it. - Going all the way: extend above divert approach to all rules that match port ranges: for any fragments of packets that *might* match a port range rule, reassemble the entire packet before applying the rule. Come to think of it, the latter approach would not be that hard since the kernel is doing this already for locally routed packets, that is, reassembling packet fragments in a fragment queue. Moreover, "most" packets don't get fragmentized. It would spread more ugliness into ip_input.c, but at least the behavoir of the ipfw code would then be semantically correct... -Archie ___________________________________________________________________________ Archie Cobbs * Whistle Communications, Inc. * http://www.whistle.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe hackers" in the body of the message