From owner-freebsd-ipfw@FreeBSD.ORG Sat Mar 14 18:31:57 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 71177106566C for ; Sat, 14 Mar 2009 18:31:57 +0000 (UTC) (envelope-from dima_bsd@inbox.lv) Received: from smtp3.apollo.lv (smtp3.apollo.lv [80.232.168.198]) by mx1.freebsd.org (Postfix) with ESMTP id BDFA98FC1D for ; Sat, 14 Mar 2009 18:31:56 +0000 (UTC) (envelope-from dima_bsd@inbox.lv) X-Junk-Score: 0 [] X-Cloudmark-Score: 0 [] X-Scan: scanned Received: from [81.198.53.40] ([81.198.53.40] verified) by smtp3.apollo.lv (CommuniGate Pro SMTP 5.2.3) with ESMTP id 338947462; Sat, 14 Mar 2009 20:31:54 +0200 From: Dmitriy Demidov To: Sergey Matveychuk , Luigi Rizzo Date: Sat, 14 Mar 2009 20:31:53 +0200 User-Agent: KMail/1.9.10 References: <200903132246.49159.dima_bsd@inbox.lv> <49BBB94A.7040208@FreeBSD.org> In-Reply-To: <49BBB94A.7040208@FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200903142031.53326.dima_bsd@inbox.lv> Cc: freebsd-ipfw@freebsd.org Subject: Re: keep-state rules inadequately handles big UDP packets or fragmented IP packets? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 Mar 2009 18:31:57 -0000 On Saturday 14 March 2009, Sergey Matveychuk wrote: > What if you add: > > add allow ip from any to any frag > > instead the line above? Hi Sergey. Yes, it works this way. Unbound can do DNSSEC queues via this rule (and can not without it). Here is a example (both ipfw and unbound is just restarted) before DNSSEC queue 00100 106 22184 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 00400 0 0 allow ip from any to any frag 00500 0 0 check-state 00600 0 0 allow icmp from any to me icmptypes 0,3,11 00700 0 0 allow icmp from me to any out keep-state 00800 0 0 allow tcp from me to any out keep-state 00900 1 76 allow udp from me to any out keep-state 01000 30 1882 deny ip from any to any 65535 20 3300 deny ip from any to any after DNSSEC queue 00100 164 33830 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 00400 1 461 allow ip from any to any frag 00500 0 0 check-state 00600 0 0 allow icmp from any to me icmptypes 0,3,11 00700 0 0 allow icmp from me to any out keep-state 00800 0 0 allow tcp from me to any out keep-state 00900 67 16551 allow udp from me to any out keep-state 01000 50 3134 deny ip from any to any 65535 20 3300 deny ip from any to any --- Hi Luigi. Thank you for answer. It is a big "surprise" for me that reassembling of IP datagrams is done not *before* they go into firewall, but *after* :( I have two questions. 1) Do modern Ethernet cards with enabled hardware offloading functions (and supported driver) can help in this situation (can they do reassembling)? 2) How hard it would be to extend ipfw functionality with feature that will enable him to make at least IP reassembling (just like pf scrub do it)? About my second question. If there is no any other way to solve this problem using current ipfw/FreeBSD implementation, then I can offer 500 WMZ (webmoney) bounty to any one who will extend ipfw (or FreeBSD ip stack?) functionality with "scrubber" that can do at least IP reassembling, and which code quality will be good enough for including him in official FreeBSD code base. Unfortunately 500$ is my upper limit at this moment. :)