From owner-freebsd-ipfw@FreeBSD.ORG Wed Nov 14 04:44:19 2007 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 65E0516A417 for ; Wed, 14 Nov 2007 04:44:19 +0000 (UTC) (envelope-from vadimnuclight@tpu.ru) Received: from relay1.tpu.ru (relay1.tpu.ru [213.183.112.102]) by mx1.freebsd.org (Postfix) with ESMTP id C5A5613C457 for ; Wed, 14 Nov 2007 04:44:18 +0000 (UTC) (envelope-from vadimnuclight@tpu.ru) Received: from localhost (localhost.localdomain [127.0.0.1]) by relay1.tpu.ru (Postfix) with ESMTP id 7298E1D12CD for ; Wed, 14 Nov 2007 10:24:39 +0600 (NOVT) X-Virus-Scanned: amavisd-new at tpu.ru Received: from relay1.tpu.ru ([127.0.0.1]) by localhost (relay1.tpu.ru [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yKBWk4IvGblj for ; Wed, 14 Nov 2007 10:24:37 +0600 (NOVT) Received: from mail.main.tpu.ru (mail.main.tpu.ru [10.0.0.3]) by relay1.tpu.ru (Postfix) with ESMTP id DCEF91D12D5 for ; Wed, 14 Nov 2007 10:24:37 +0600 (NOVT) Received: from mail.tpu.ru ([213.183.112.105]) by mail.main.tpu.ru with Microsoft SMTPSVC(6.0.3790.3959); Wed, 14 Nov 2007 10:24:37 +0600 Received: from nuclight.avtf.net ([78.140.2.188]) by mail.tpu.ru over TLS secured channel with Microsoft SMTPSVC(6.0.3790.3959); Wed, 14 Nov 2007 10:24:37 +0600 To: freebsd-ipfw@freebsd.org References: <5d2f37910711131439x56bb2028maa40b0475feffde4@mail.gmail.com> Message-ID: Date: Wed, 14 Nov 2007 10:24:35 +0600 From: "Vadim Goncharov" Organization: AVTF TPU Hostel Content-Type: text/plain; format=flowed; delsp=yes; charset=koi8-r MIME-Version: 1.0 Content-Transfer-Encoding: 8bit In-Reply-To: <5d2f37910711131439x56bb2028maa40b0475feffde4@mail.gmail.com> User-Agent: Opera M2/7.54 (Win32, build 3865) X-OriginalArrivalTime: 14 Nov 2007 04:24:38.0091 (UTC) FILETIME=[44B729B0:01C82676] Subject: Re: Fragmented Packet Reassembly and IPFW2 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Nov 2007 04:44:19 -0000 14.11.07 @ 04:39 Curby wrote: > Hi, this is slightly off-topic as it relates to IPFW2 in Mac OS X (as > of Tiger, 10.4.x). > > I've read that when a FreeBSD machine running IPFW2 receives a > fragmented TCP packet (and let's say that the machine itself is the > intended destination), the packet is reassembled before it gets to > IPFW2, and IPFW2 sees a single TCP packet. Basically, the (first) > question is whether this is the case in OS X. > > Next, and especially if reassembly occurs before the firewall, what is > the point of the frag flag in a rule body, e.g.: > > add 04010 deny log all from any to any frag in > > Question 2 in a nutshell: what's the point of "frag" if frags are > already being reassembled? Is this meant to reject incoming frags No, you've read something wrong,. Packets are not reassembled before firewall. At least they shouldn't do, no documentation says that it must be. So are that rules - they're really dealing with fragments, no reassembly. No firewall does reassembly by default, pf also must be told explicitly to do this by 'scrub' keyword. May be you've misunderstood somewhat while reading about 'divert', and thought it reassembles all the time, not only there? But that also occurs _after_ the firewall, anyway... -- WBR, Vadim Goncharov