Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 14 Nov 2007 14:05:27 +0600
From:      "Vadim Goncharov" <vadimnuclight@tpu.ru>
To:        freebsd-ipfw <freebsd-ipfw@freebsd.org>
Subject:   Re: Fwd: Fragmented Packet Reassembly and IPFW2
Message-ID:  <opt1rvfdo04fjv08@nuclight.avtf.net>
In-Reply-To: <5d2f37910711132245n3e699b57i1746594462725a09@mail.gmail.com>
References:  <5d2f37910711131439x56bb2028maa40b0475feffde4@mail.gmail.com> <opt1rk69dr4fjv08@nuclight.avtf.net> <5d2f37910711132244w39e73eb0nb8d8ac460dd15fcd@mail.gmail.com> <5d2f37910711132245n3e699b57i1746594462725a09@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
14.11.07 @ 12:45 Curby wrote:

> "The ip_input() routine in the kernel then dequeues the packet,
> performs sanity checks on the packet and determines the destination
> for the packet. If the destination is the local computer, the kernel
> will perform packet reassembly. "

Yes, but this happens AFTER the firewall. And only for local computer, not  
transit traffic.

> from  
> http://usenix.net/events/bsdcon02/full_papers/lidl/lidl_html/index.html

This is article about BSD/OS ipfw, not FreeBSD's ipfw - they're very  
different.

> Also, this poster is less sure but suggests that this might happen:
> http://osdir.com/ml/freebsd.isp/2003-02/msg00091.html

He's wrong.

> I also think that Linux iptables only sees reassembled packets (at
> least some of the time, e.g. when it is legitimate traffic destined
> for the host itself), so this isn't altogether wild and crazy.

I don't know about Linux' behaviour in this case (and anyway, it's  
irrelevant to FreeBSD).

> If in fact reassembly does not happen, I should remove that rule as
> frags will likely not match using a check-state rule because they lack
> tcp/udp header information.  Is there a way in ipfw to allow frags
> that claim to be related to a known-good first frag but drop others?
> Something like check-state but for fragments 1 and above, in other
> words.

No, that needs reassembly. You can try using divert socket as the first  
rule on the input, though, as packets are get reassembled before  
diverting. You need to put something listening on the divert socket and  
echoing packets back. It can be ng_ksocket + ng_echo, try to experiment  
with them. Or use pf scrub instead of ipfw.

-- 
WBR, Vadim Goncharov

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?opt1rvfdo04fjv08>