Date: Sat, 12 Apr 2003 22:52:00 +0300 From: Giorgos Keramidas <keramida@ceid.upatras.gr> To: freebsd-questions@freebsd.org Subject: Re: Firewall Rules/connection troubles Message-ID: <20030412195200.GE2501@gothmog.gr> In-Reply-To: <20030412134031.GA94973@jrpenn.demon.co.uk> References: <200304120023.h3C0NtvN036040@server1.shellworld.net> <20030412053057.GB65034@gothmog.gr> <20030412134031.GA94973@jrpenn.demon.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2003-04-12 14:40, Jeff Penn <jeff@jrpenn.demon.co.uk> wrote: >On Sat, Apr 12, 2003 at 08:30:57AM +0300, Giorgos Keramidas wrote: >> >> h. You're blocking fragments. It's not always a good idea. > > Provided most rules use check-state, and the 'deny frag' rule follows > the check-state rules, won't valid fragments be passed by dynamic rules? No. A fragment can not always match a check-state rule or a rule with keep-state further down. A fragment is allowed to have an offset and a size, specifying what part of the original packet it covers. Bearing in mind that the IP packet header is 20 bytes (without options), and the TCP header is also 20 bytes (also without options), any fragment after the first 40 bytes does not include source & destination address/port information. It cannot be checked against the check-state rule and it won't match a setup rule either.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030412195200.GE2501>