From owner-freebsd-ipfw@FreeBSD.ORG Wed Nov 14 07:02:17 2007 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D961616A420 for ; Wed, 14 Nov 2007 07:02:17 +0000 (UTC) (envelope-from julian@elischer.org) Received: from outB.internet-mail-service.net (outB.internet-mail-service.net [216.240.47.225]) by mx1.freebsd.org (Postfix) with ESMTP id BD24913C44B for ; Wed, 14 Nov 2007 07:02:17 +0000 (UTC) (envelope-from julian@elischer.org) Received: from mx0.idiom.com (HELO idiom.com) (216.240.32.160) by out.internet-mail-service.net (qpsmtpd/0.40) with ESMTP; Tue, 13 Nov 2007 23:01:56 -0800 X-Client-Authorized: MaGic Cook1e X-Client-Authorized: MaGic Cook1e Received: from julian-mac.elischer.org (home.elischer.org [216.240.48.38]) by idiom.com (Postfix) with ESMTP id 2C9D61269FA; Tue, 13 Nov 2007 23:01:56 -0800 (PST) Message-ID: <473A9D65.7000002@elischer.org> Date: Tue, 13 Nov 2007 23:01:57 -0800 From: Julian Elischer User-Agent: Thunderbird 2.0.0.6 (Macintosh/20070728) MIME-Version: 1.0 To: Curby References: <5d2f37910711131439x56bb2028maa40b0475feffde4@mail.gmail.com> <5d2f37910711132244w39e73eb0nb8d8ac460dd15fcd@mail.gmail.com> <5d2f37910711132245n3e699b57i1746594462725a09@mail.gmail.com> In-Reply-To: <5d2f37910711132245n3e699b57i1746594462725a09@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-ipfw Subject: Re: Fwd: Fragmented Packet Reassembly and IPFW2 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Nov 2007 07:02:17 -0000 Curby wrote: > Julian and Vadim, thank you both for your replies. Here's a really old quote: > > "The ip_input() routine in the kernel then dequeues the packet, > performs sanity checks on the packet and determines the destination > for the packet. If the destination is the local computer, the kernel > will perform packet reassembly. " The firewall is the first thing ip_input does. it happens BEFORE reassembly. > > from http://usenix.net/events/bsdcon02/full_papers/lidl/lidl_html/index.html > > Also, this poster is less sure but suggests that this might happen: > http://osdir.com/ml/freebsd.isp/2003-02/msg00091.html he says "I think" and he's wrong. check netinet/ip_input.c > > I also think that Linux iptables only sees reassembled packets (at > least some of the time, e.g. when it is legitimate traffic destined > for the host itself), so this isn't altogether wild and crazy. maybe, but you are asking about FreeBSD > > If in fact reassembly does not happen, I should remove that rule as > frags will likely not match using a check-state rule because they lack > tcp/udp header information. Is there a way in ipfw to allow frags > that claim to be related to a known-good first frag but drop others? > Something like check-state but for fragments 1 and above, in other > words. not in ipfw. you might check pf and ipf > > The odd thing is that I didn't see any dropped packets in my logs or > notice any disrupted traffic (e.g. in a web browser) before this > conference, where frags were suddenly flying all over. Thanks again > for your help! frags are usually the result of tunnelling. People at a conference often have tunnels running. > > --Mike > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"