From owner-freebsd-hackers  Mon Aug 19 12:03:03 1996
Return-Path: owner-hackers
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id MAA00138
          for hackers-outgoing; Mon, 19 Aug 1996 12:03:03 -0700 (PDT)
Received: from asstdc.scgt.oz.au (root@asstdc.scgt.oz.au [202.14.234.65])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id MAA00116
          for <hackers@freebsd.org>; Mon, 19 Aug 1996 12:02:59 -0700 (PDT)
Received: (from imb@localhost)
          by asstdc.scgt.oz.au (8.7.5/BSD4.4) id FAA10601
          Tue, 20 Aug 1996 05:02:44 +1000 (EST)
From: michael butler <imb@scgt.oz.au>
Message-Id: <199608191902.FAA10601@asstdc.scgt.oz.au>
Subject: Re: Which fragments to discard (was Re: ipfw vs ipfilter)
To: archie@whistle.com (Archie Cobbs)
Date: Tue, 20 Aug 1996 05:02:43 +1000 (EST)
Cc: hackers@freebsd.org
In-Reply-To: <199608190232.TAA26469@bubba.whistle.com> from "Archie Cobbs" at Aug 18, 96 07:32:46 pm
X-Mailer: ELM [version 2.4 PL24beta]
Content-Type: text
Sender: owner-hackers@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

Archie Cobbs writes:

> > Poul-Henning Kamp writes:
> > : This is a common mistake, only offset==1 needs to be discarded.
 
> > Hmmm, since there are no comments in ip_fw.c as to why only offset 1
> > is a problem, I'll have to ask here.  Why is that?
 
> RFC 1858 supposedly explains why.

Speaking of which, what follows slid right past my border router :-( This
evening's (-stable + ipfw) log included ..

Deny TCP <somehost>:24940 202.14.234.65:26735 Fragment = 34
Deny TCP <somehost>:30569 202.14.234.65:25451 Fragment = 68
Deny TCP <somehost>:31008 202.14.234.65:29807 Fragment = 102
Deny TCP <somehost>:24940 202.14.234.65:26735 Fragment = 34
Deny TCP <somehost>:30569 202.14.234.65:25451 Fragment = 68
Deny TCP <somehost>:31008 202.14.234.65:29807 Fragment = 102
Deny TCP <somehost>:24940 202.14.234.65:26735 Fragment = 34
Deny TCP <somehost>:30569 202.14.234.65:25451 Fragment = 68
Deny TCP <somehost>:31008 202.14.234.65:29807 Fragment = 102
Deny TCP <somehost>:24940 202.14.234.65:26735 Fragment = 34
Deny TCP <somehost>:31008 202.14.234.65:29807 Fragment = 102
Deny TCP <somehost>:30569 202.14.234.65:25451 Fragment = 68
Deny TCP <somehost>:24940 202.14.234.65:26735 Fragment = 34
Deny TCP <somehost>:30569 202.14.234.65:25451 Fragment = 68
Deny TCP <somehost>:31008 202.14.234.65:29807 Fragment = 102

All things considered, I think the decision to configure all my kernels to
be "defensive" by default was not such a bad idea. Anyone who can't build
packets properly I don't want to talk to and I told them so in email ..

	michael