From owner-freebsd-security  Sat Sep  2 17:53:41 2000
Delivered-To: freebsd-security@freebsd.org
Received: from mail.kyx.net (cr95838-b.crdva1.bc.wave.home.com [24.113.50.147])
	by hub.freebsd.org (Postfix) with ESMTP id E78E237B423
	for <freebsd-security@FreeBSD.ORG>; Sat,  2 Sep 2000 17:53:32 -0700 (PDT)
Received: from smp.kyx.net (unknown [10.22.22.45])
	by mail.kyx.net (Postfix) with SMTP
	id 8A6E81DC04; Sat,  2 Sep 2000 17:52:10 -0700 (PDT)
From: Dragos Ruiu <dr@kyx.net>
Organization: kyx.net
To: Bill Fumerola <billf@chimesnet.com>, Nicolas <list@rachinsky.de>
Subject: Re: ipfw and fragments
Date: Sat, 2 Sep 2000 17:50:02 -0700
X-Mailer: KYX-CP/M [version core00-mail-92]
Content-Type: text/plain
Cc: freebsd-security@FreeBSD.ORG
References: <007a01c01457$3b9eff80$e4aa603e@gottt> <20000901170437.J33771@jade.chc-chimes.com>
In-Reply-To: <20000901170437.J33771@jade.chc-chimes.com>
MIME-Version: 1.0
Message-Id: <00090217534118.20066@smp.kyx.net>
Content-Transfer-Encoding: 8bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Fri, 01 Sep 2000, Bill Fumerola wrote:
> On Fri, Sep 01, 2000 at 10:56:41PM +0200, Nicolas wrote:
> > Is there a way to make ipfw to reassemble fragmented ip packets before passing them through the rules?
> 
> No. The relevant bits are only in the first packet.
> 

It could be made to reassemble them, 
but it would incurr a performance hit.  

cheers,
--dr

-- 
Dragos Ruiu <dr@dursec.com>    dursec.com ltd. / kyx.net - we're from the future
pgp fingerprint: 18C7 E37C 2F94 E251 F18E  B7DC 2B71 A73E D2E8 A56D 
pgp key: http://www.dursec.com/drkey.asc


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message