Date: Sun, 21 Feb 2021 19:10:32 +0100 From: "Kristof Provost" <kp@FreeBSD.org> To: "Doug Hardie" <bc979@lafn.org> Cc: "net@freebsd.org" <net@FreeBSD.org> Subject: Re: IPv6 Fragmentation Message-ID: <B541DABC-9C26-4D11-8AEB-0049D125CB8E@FreeBSD.org> In-Reply-To: <5F0CE151-3B44-4692-AE82-F292B99BAC29@sermon-archive.info> References: <CB0FB5AB-5A37-4C40-A103-3E0D97CEA6B9@sermon-archive.info> <472A2B49-9BEC-4335-B6FB-AC4DAA0F0310@lurchi.franken.de> <A01F640F-E412-474C-A34C-19B7219BD84D@sermon-archive.info> <DE246A9E-E931-4870-8EDB-AD5F9FBC7574@FreeBSD.org> <5F0CE151-3B44-4692-AE82-F292B99BAC29@sermon-archive.info>
next in thread | previous in thread | raw e-mail | index | archive | help
On 21 Feb 2021, at 0:02, Doug Hardie wrote: >> On 20 February 2021, at 04:13, Kristof Provost <kp@FreeBSD.org> >> wrote: >> >> If you don’t have scrub fragment reassemble set then you have to >> include something like pass log inet6 proto ipv6-frag all to pass >> fragmented packets (assuming you block by default). >> >> You really, really want scrub fragment reassemble because otherwise >> your firewall can be trivially bypassed, but you need one of the two >> for fragmented packets to work. >> > > I went with reassembly as it was easy to configure. However, is there > some place where the trivial bypassing is addressed in detail? I > would like to understand that. > Essentially this: https://en.wikipedia.org/wiki/IP_fragmentation_attack#Fragmentation_for_evasion The attacker breaks up the packet into fragments so that the real upper layer header (e.g. TCP) is not in the first packet. All the firewall sees is a fragmentation header and a few random bytes. Not enough to, for example, get the port number. So the firewall allows it through (‘pass log inet6 proto ipv6-frag’), and your policy to deny traffic to port 22 has not been applied. Best regards, Kristof
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?B541DABC-9C26-4D11-8AEB-0049D125CB8E>