Date: Sun, 01 Sep 2024 23:53:55 -0700 From: Paul Vixie <paul@redbarn.org> To: FreeBSD Net <freebsd-net@freebsd.org> Cc: mike tancsa <mike@sentex.net> Subject: Re: dropping udp fragments with ipfw Message-ID: <2645251.Lt9SDvczpP@heater.srcl.tisf.net> In-Reply-To: <790fcb38-db6c-41ce-8222-8146be5dbe3b@sentex.net> References: <790fcb38-db6c-41ce-8222-8146be5dbe3b@sentex.net>
next in thread | previous in thread | raw e-mail | index | archive | help
with "add pass udp" one creates a rule that permits initial fragments of a=
=20
datagram, or unfragmented datagram, to pass. if this doesn't happen, then n=
o=20
subsequent fragment will matter even if allowed through -- because there wi=
ll=20
be no endpoint state to allow those fragments to be reassembled. so:
add allow ip from any to any frag
works pretty well. per ipfw(8), the "frag" option means non-initial fragmen=
ts:
Fragmented packets which have a non-zero offset (i.e., not the
first fragment) will never match a rule which has one or more
port specifications. See the frag option for details on match=
ing
fragmented packets.
and:
frag spec
Matches IPv4 packets whose ip_off field contains the comma
separated list of IPv4 fragmentation options specified in spec.
The recognized options are: df (don't fragment), mf (more
fragments), rf (reserved fragment bit) offset (non-zero fragme=
nt
offset). The absence of a particular options may be denoted w=
ith
a =E2=80=98!=E2=80=99.
Empty list of options defaults to matching on non-zero fragment
offset. Such rule would match all not the first fragment
datagrams, both IPv4 and IPv6. This is a backward compatibili=
ty
with older rulesets.
i won't use "reass" on a firewall for the same reasons i don't use LRO:
> LRO should not operate on machines acting as routers, as it breaks the en=
d-
to-end principle and can significantly impact performance.[13][14]
(https://en.wikipedia.org/wiki/TCP_offload_engine#Large_receive_offload)
if your question is about endpoint ipfw rather than IP firewall ipfw, reass=
is=20
fine. if what you want to do is drop large UDP attacks you probably do not=
=20
care whether fragments are involved and you should be looking at "pipe" and=
=20
"queue" from dummynet(4). if you really want to send only non-initial=20
fragments to some special pipe or queue you can do that, of course.
=2D-=20
P Vixie
On Thursday, August 29, 2024 11:51:37 AM PDT mike tancsa wrote:
> I was working on some firewall rules to drop large UDP fragment attacks
> and noticed there is no easy way to drop fragments based on port ? e.g.
> if someone sends a UDP packet of 1400 bytes, I can drop it with
>=20
> TARGET=3D192.168.1.1
>=20
> ipfw add 5 deny log udp from any 53 to $TARGET
>=20
> But if that packet is say 2000 bytes and is fragmented, the fragment
> passes through. I have to add a subsequent rule
>=20
> ipfw add 10 deny log udp from any to $TARGET fragment
>=20
> But this would kill all UDP fragments. If the host has some other UDP
> application that needs to deal with fragmented packets, is there a way
> to get around that and only drop packets with a certain port in the
> first fragment ?
>=20
> ---Mike
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2645251.Lt9SDvczpP>