From owner-freebsd-ipfw@FreeBSD.ORG Sun Mar 15 09:59:05 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B86E2106564A; Sun, 15 Mar 2009 09:59:05 +0000 (UTC) (envelope-from dima_bsd@inbox.lv) Received: from smtp6.apollo.lv (smtp6.apollo.lv [80.232.168.167]) by mx1.freebsd.org (Postfix) with ESMTP id 7122C8FC22; Sun, 15 Mar 2009 09:59:05 +0000 (UTC) (envelope-from dima_bsd@inbox.lv) Received: from [87.110.84.86] (unknown [87.110.84.86]) by smtp6.apollo.lv (Postfix) with ESMTP id 4F2D720E55; Sun, 15 Mar 2009 11:59:17 +0200 (EET) From: Dmitriy Demidov To: Sergey Matveychuk Date: Sun, 15 Mar 2009 11:58:54 +0200 User-Agent: KMail/1.9.10 References: <200903132246.49159.dima_bsd@inbox.lv> <200903142031.53326.dima_bsd@inbox.lv> <49BCCC9D.30109@FreeBSD.org> In-Reply-To: <49BCCC9D.30109@FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200903151158.54572.dima_bsd@inbox.lv> X-Lattelecom-MailScanner-Information: Please contact the ISP for more information X-Lattelecom-MailScanner-ID: 4F2D720E55.A309B X-Lattelecom-MailScanner: Found to be clean X-Lattelecom-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=-0.901, required 5, BAYES_00 -2.60, RCVD_IN_PBL 0.91, RDNS_NONE 0.10, SPF_FAIL 0.69) X-Lattelecom-MailScanner-From: dima_bsd@inbox.lv X-Spam-Status: No Cc: freebsd-ipfw@freebsd.org, Luigi Rizzo Subject: Re: keep-state rules inadequately handles big UDP packets or fragmented IP packets? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 15 Mar 2009 09:59:06 -0000 On Sunday 15 March 2009, Sergey Matveychuk wrote: > Dmitriy Demidov wrote: > > Hi Luigi. Thank you for answer. > > It is a big "surprise" for me that reassembling of IP datagrams is done not *before* they go into firewall, but *after* :( > > But what's wrong with it? A fragment got from net, pass firewall and > store. After all fragments we got, OS reassembly a packet and pass it > through firewall again. > >>it is not related to dynamic rules, but to the fact that >>that the firewall is called before reassembling packets. >>The info (port numbers especially) is not available >>in the fragments so the firewall cannot do anything. >>The only solution would be to call the firewall >>after reassembly. I am not sure if there is any work in progress >>for that. If I got it right from Luigi explanation, then problem we see here happens this way: ipfw receivs fragmented IP datagrams what contains splited UDP packet insight (IP-fragment1/UDP-head) + (IP-fragment2/UDP-tail), and it can not procead second one because of lack of UDP header? IP reassembling happens after ipfw?