From owner-freebsd-security Sat Sep 2 23:51:30 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.kyx.net (cr95838-b.crdva1.bc.wave.home.com [24.113.50.147]) by hub.freebsd.org (Postfix) with ESMTP id C008C37B424 for ; Sat, 2 Sep 2000 23:51:28 -0700 (PDT) Received: from smp.kyx.net (unknown [10.22.22.45]) by mail.kyx.net (Postfix) with SMTP id 36B2F1DC03; Sat, 2 Sep 2000 23:50:28 -0700 (PDT) From: Dragos Ruiu Organization: kyx.net To: Bill Fumerola Subject: Re: ipfw and fragments Date: Sat, 2 Sep 2000 23:47:29 -0700 X-Mailer: KYX-CP/M [version core00-mail-92] Content-Type: text/plain Cc: Nicolas , freebsd-security@FreeBSD.ORG References: <007a01c01457$3b9eff80$e4aa603e@gottt> <00090217534118.20066@smp.kyx.net> <20000903023759.O33771@jade.chc-chimes.com> In-Reply-To: <20000903023759.O33771@jade.chc-chimes.com> MIME-Version: 1.0 Message-Id: <0009022351571F.20066@smp.kyx.net> Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 02 Sep 2000, Bill Fumerola wrote: > On Sat, Sep 02, 2000 at 05:50:02PM -0700, Dragos Ruiu wrote: > > > > > Is there a way to make ipfw to reassemble fragmented ip packets before passing them through the rules? > > > > > > No. The relevant bits are only in the first packet. > > > > > It could be made to reassemble them, > > but it would incurr a performance hit. > > What do you gain? Nothing that I can think that ipfw currently > tests for is in the non-initial fragment. > Correct me if I'm wrong because I havent looked at the ipfw source, but fragment's dont get passed. There are some applications that like to send big packets (I have a video streaming system for instance that sends up to 64K UDP datagrams) that will always get fragmented. If I wanted to send such packets unmolested through ipfw it would have to "reassemble" them as it were so that once the first fragment got through the subsequent ones could follow too. Or am I missing something here in what you're trying to do? cheers, --dr -- dursec.com ltd. / kyx.net - we're from the future pgp fingerprint: 18C7 E37C 2F94 E251 F18E B7DC 2B71 A73E D2E8 A56D pgp key: http://www.dursec.com/drkey.asc To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message