Date: Tue, 17 Mar 2009 09:40:07 +0100 From: Alex Dupre <ale@FreeBSD.org> To: Luigi Rizzo <rizzo@iet.unipi.it> Cc: freebsd-ipfw@freebsd.org, Dmitriy Demidov <dima_bsd@inbox.lv> Subject: Re: keep-state rules inadequately handles big UDP packets or fragmented IP packets? Message-ID: <49BF61E7.7020305@FreeBSD.org> In-Reply-To: <20090313214327.GA1675@onelab2.iet.unipi.it> References: <200903132246.49159.dima_bsd@inbox.lv> <20090313214327.GA1675@onelab2.iet.unipi.it>
next in thread | previous in thread | raw e-mail | index | archive | help
Luigi Rizzo ha scritto:
> it is not related to dynamic rules, but to the fact that
> that the firewall is called before reassembling packets.
> The info (port numbers especially) is not available
> in the fragments so the firewall cannot do anything.
> The only solution would be to call the firewall
> after reassembly. I am not sure if there is any work in progress
> for that.
FWIW pf has "traffic normalization" feature ("scrub" keyword), that
reassembles packets before inspection. Unfortunately, it works with IPv4
packets, but lacks IPv6 support.
--
Alex Dupre
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?49BF61E7.7020305>