Date: Wed, 14 Nov 2007 10:24:35 +0600 From: "Vadim Goncharov" <vadimnuclight@tpu.ru> To: freebsd-ipfw@freebsd.org Subject: Re: Fragmented Packet Reassembly and IPFW2 Message-ID: <opt1rk69dr4fjv08@nuclight.avtf.net> In-Reply-To: <5d2f37910711131439x56bb2028maa40b0475feffde4@mail.gmail.com> References: <5d2f37910711131439x56bb2028maa40b0475feffde4@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
14.11.07 @ 04:39 Curby wrote: > Hi, this is slightly off-topic as it relates to IPFW2 in Mac OS X (as > of Tiger, 10.4.x). > > I've read that when a FreeBSD machine running IPFW2 receives a > fragmented TCP packet (and let's say that the machine itself is the > intended destination), the packet is reassembled before it gets to > IPFW2, and IPFW2 sees a single TCP packet. Basically, the (first) > question is whether this is the case in OS X. > > Next, and especially if reassembly occurs before the firewall, what is > the point of the frag flag in a rule body, e.g.: > > add 04010 deny log all from any to any frag in > > Question 2 in a nutshell: what's the point of "frag" if frags are > already being reassembled? Is this meant to reject incoming frags No, you've read something wrong,. Packets are not reassembled before firewall. At least they shouldn't do, no documentation says that it must be. So are that rules - they're really dealing with fragments, no reassembly. No firewall does reassembly by default, pf also must be told explicitly to do this by 'scrub' keyword. May be you've misunderstood somewhat while reading about 'divert', and thought it reassembles all the time, not only there? But that also occurs _after_ the firewall, anyway... -- WBR, Vadim Goncharov
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?opt1rk69dr4fjv08>