Date: Tue, 13 Nov 2007 23:01:57 -0800 From: Julian Elischer <julian@elischer.org> To: Curby <curby.public@gmail.com> Cc: freebsd-ipfw <freebsd-ipfw@freebsd.org> Subject: Re: Fwd: Fragmented Packet Reassembly and IPFW2 Message-ID: <473A9D65.7000002@elischer.org> In-Reply-To: <5d2f37910711132245n3e699b57i1746594462725a09@mail.gmail.com> References: <5d2f37910711131439x56bb2028maa40b0475feffde4@mail.gmail.com> <opt1rk69dr4fjv08@nuclight.avtf.net> <5d2f37910711132244w39e73eb0nb8d8ac460dd15fcd@mail.gmail.com> <5d2f37910711132245n3e699b57i1746594462725a09@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Curby wrote: > Julian and Vadim, thank you both for your replies. Here's a really old quote: > > "The ip_input() routine in the kernel then dequeues the packet, > performs sanity checks on the packet and determines the destination > for the packet. If the destination is the local computer, the kernel > will perform packet reassembly. " The firewall is the first thing ip_input does. it happens BEFORE reassembly. > > from http://usenix.net/events/bsdcon02/full_papers/lidl/lidl_html/index.html > > Also, this poster is less sure but suggests that this might happen: > http://osdir.com/ml/freebsd.isp/2003-02/msg00091.html he says "I think" and he's wrong. check netinet/ip_input.c > > I also think that Linux iptables only sees reassembled packets (at > least some of the time, e.g. when it is legitimate traffic destined > for the host itself), so this isn't altogether wild and crazy. maybe, but you are asking about FreeBSD > > If in fact reassembly does not happen, I should remove that rule as > frags will likely not match using a check-state rule because they lack > tcp/udp header information. Is there a way in ipfw to allow frags > that claim to be related to a known-good first frag but drop others? > Something like check-state but for fragments 1 and above, in other > words. not in ipfw. you might check pf and ipf > > The odd thing is that I didn't see any dropped packets in my logs or > notice any disrupted traffic (e.g. in a web browser) before this > conference, where frags were suddenly flying all over. Thanks again > for your help! frags are usually the result of tunnelling. People at a conference often have tunnels running. > > --Mike > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?473A9D65.7000002>