From owner-freebsd-ipfw@FreeBSD.ORG Wed Nov 14 08:05:39 2007 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BE42C16A469 for ; Wed, 14 Nov 2007 08:05:39 +0000 (UTC) (envelope-from vadimnuclight@tpu.ru) Received: from relay1.tpu.ru (relay1.tpu.ru [213.183.112.102]) by mx1.freebsd.org (Postfix) with ESMTP id 1A4A713C47E for ; Wed, 14 Nov 2007 08:05:38 +0000 (UTC) (envelope-from vadimnuclight@tpu.ru) Received: from localhost (localhost.localdomain [127.0.0.1]) by relay1.tpu.ru (Postfix) with ESMTP id 7D3A21D12CF for ; Wed, 14 Nov 2007 14:05:34 +0600 (NOVT) X-Virus-Scanned: amavisd-new at tpu.ru Received: from relay1.tpu.ru ([127.0.0.1]) by localhost (relay1.tpu.ru [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VlaM9n5Aw08l for ; Wed, 14 Nov 2007 14:05:31 +0600 (NOVT) Received: from mail.main.tpu.ru (mail.main.tpu.ru [10.0.0.3]) by relay1.tpu.ru (Postfix) with ESMTP id AA4E810DB90 for ; Wed, 14 Nov 2007 14:05:31 +0600 (NOVT) Received: from mail.tpu.ru ([213.183.112.105]) by mail.main.tpu.ru with Microsoft SMTPSVC(6.0.3790.3959); Wed, 14 Nov 2007 14:05:31 +0600 Received: from nuclight.avtf.net ([78.140.2.188]) by mail.tpu.ru over TLS secured channel with Microsoft SMTPSVC(6.0.3790.3959); Wed, 14 Nov 2007 14:05:31 +0600 Date: Wed, 14 Nov 2007 14:05:27 +0600 To: freebsd-ipfw References: <5d2f37910711131439x56bb2028maa40b0475feffde4@mail.gmail.com> <5d2f37910711132244w39e73eb0nb8d8ac460dd15fcd@mail.gmail.com> <5d2f37910711132245n3e699b57i1746594462725a09@mail.gmail.com> From: "Vadim Goncharov" Organization: AVTF TPU Hostel Content-Type: text/plain; format=flowed; delsp=yes; charset=koi8-r MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-ID: In-Reply-To: <5d2f37910711132245n3e699b57i1746594462725a09@mail.gmail.com> User-Agent: Opera M2/7.54 (Win32, build 3865) X-OriginalArrivalTime: 14 Nov 2007 08:05:31.0483 (UTC) FILETIME=[205A4AB0:01C82695] Subject: Re: Fwd: Fragmented Packet Reassembly and IPFW2 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Nov 2007 08:05:39 -0000 14.11.07 @ 12:45 Curby wrote: > "The ip_input() routine in the kernel then dequeues the packet, > performs sanity checks on the packet and determines the destination > for the packet. If the destination is the local computer, the kernel > will perform packet reassembly. " Yes, but this happens AFTER the firewall. And only for local computer, not transit traffic. > from > http://usenix.net/events/bsdcon02/full_papers/lidl/lidl_html/index.html This is article about BSD/OS ipfw, not FreeBSD's ipfw - they're very different. > Also, this poster is less sure but suggests that this might happen: > http://osdir.com/ml/freebsd.isp/2003-02/msg00091.html He's wrong. > I also think that Linux iptables only sees reassembled packets (at > least some of the time, e.g. when it is legitimate traffic destined > for the host itself), so this isn't altogether wild and crazy. I don't know about Linux' behaviour in this case (and anyway, it's irrelevant to FreeBSD). > If in fact reassembly does not happen, I should remove that rule as > frags will likely not match using a check-state rule because they lack > tcp/udp header information. Is there a way in ipfw to allow frags > that claim to be related to a known-good first frag but drop others? > Something like check-state but for fragments 1 and above, in other > words. No, that needs reassembly. You can try using divert socket as the first rule on the input, though, as packets are get reassembled before diverting. You need to put something listening on the divert socket and echoing packets back. It can be ng_ksocket + ng_echo, try to experiment with them. Or use pf scrub instead of ipfw. -- WBR, Vadim Goncharov