Date: Sat, 2 Sep 2000 23:47:29 -0700 From: Dragos Ruiu <dr@kyx.net> To: Bill Fumerola <billf@chimesnet.com> Cc: Nicolas <list@rachinsky.de>, freebsd-security@FreeBSD.ORG Subject: Re: ipfw and fragments Message-ID: <0009022351571F.20066@smp.kyx.net> In-Reply-To: <20000903023759.O33771@jade.chc-chimes.com> References: <007a01c01457$3b9eff80$e4aa603e@gottt> <00090217534118.20066@smp.kyx.net> <20000903023759.O33771@jade.chc-chimes.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 02 Sep 2000, Bill Fumerola wrote: > On Sat, Sep 02, 2000 at 05:50:02PM -0700, Dragos Ruiu wrote: > > > > > Is there a way to make ipfw to reassemble fragmented ip packets before passing them through the rules? > > > > > > No. The relevant bits are only in the first packet. > > > > > It could be made to reassemble them, > > but it would incurr a performance hit. > > What do you gain? Nothing that I can think that ipfw currently > tests for is in the non-initial fragment. > Correct me if I'm wrong because I havent looked at the ipfw source, but fragment's dont get passed. There are some applications that like to send big packets (I have a video streaming system for instance that sends up to 64K UDP datagrams) that will always get fragmented. If I wanted to send such packets unmolested through ipfw it would have to "reassemble" them as it were so that once the first fragment got through the subsequent ones could follow too. Or am I missing something here in what you're trying to do? cheers, --dr -- dursec.com ltd. / kyx.net - we're from the future pgp fingerprint: 18C7 E37C 2F94 E251 F18E B7DC 2B71 A73E D2E8 A56D pgp key: http://www.dursec.com/drkey.asc To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?0009022351571F.20066>