From owner-freebsd-ipfw@FreeBSD.ORG Sun Mar 15 11:12:00 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6ABDE106566B for ; Sun, 15 Mar 2009 11:12:00 +0000 (UTC) (envelope-from sem@FreeBSD.org) Received: from sunner.semmy.ru (sunner.semmy.ru [195.54.209.159]) by mx1.freebsd.org (Postfix) with ESMTP id 26F808FC1A for ; Sun, 15 Mar 2009 11:12:00 +0000 (UTC) (envelope-from sem@FreeBSD.org) Received: from [77.41.76.79] (helo=[172.16.100.19]) by sunner.semmy.ru with esmtpa (Exim 4.69 (FreeBSD)) (envelope-from ) id 1LioG6-000EP1-QB; Sun, 15 Mar 2009 14:11:59 +0300 Message-ID: <49BCE276.1050509@FreeBSD.org> Date: Sun, 15 Mar 2009 14:11:50 +0300 From: Sergey Matveychuk User-Agent: Thunderbird 2.0.0.19 (Windows/20081209) MIME-Version: 1.0 To: Luigi Rizzo References: <200903132246.49159.dima_bsd@inbox.lv> <49BBB94A.7040208@FreeBSD.org> <200903142031.53326.dima_bsd@inbox.lv> <49BCCC9D.30109@FreeBSD.org> <20090315100206.GA63505@onelab2.iet.unipi.it> <49BCDB0D.6070608@FreeBSD.org> In-Reply-To: <49BCDB0D.6070608@FreeBSD.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-ipfw@freebsd.org, Dmitriy Demidov Subject: Re: keep-state rules inadequately handles big UDP packets or fragmented IP packets? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 15 Mar 2009 11:12:00 -0000 Sergey Matveychuk wrote: > Luigi Rizzo wrote: >> On Sun, Mar 15, 2009 at 12:38:37PM +0300, Sergey Matveychuk wrote: >>> Dmitriy Demidov wrote: >>>> Hi Luigi. Thank you for answer. >>>> It is a big "surprise" for me that reassembling of IP datagrams is >>>> done not *before* they go into firewall, but *after* :( >>> But what's wrong with it? A fragment got from net, pass firewall and >>> store. After all fragments we got, OS reassembly a packet and pass it >>> through firewall again. >> >> Currently we don't have a way to re-invoke the firewall after >> reassembly. In fact, we should probably provide hooks before and >> after reassembly, and use them in a configurable way. > > It sounds like a security issue. We can construct any packet that pass > through firewall? > Well, I see a first fragment will be checked. But anyway I think the reassembled package must pass firewall again. -- Dixi. Sem.