From owner-freebsd-questions@FreeBSD.ORG  Sat Apr 12 16:00:20 2003
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id F0FE237B401
	for <freebsd-questions@freebsd.org>;
	Sat, 12 Apr 2003 16:00:20 -0700 (PDT)
Received: from thalia.otenet.gr (mailsrv.otenet.gr [195.170.0.5])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 6E64543F3F
	for <freebsd-questions@freebsd.org>;
	Sat, 12 Apr 2003 16:00:19 -0700 (PDT)
	(envelope-from keramida@ceid.upatras.gr)
Received: from gothmog.gr (patr530-b219.otenet.gr [212.205.244.227])
	by thalia.otenet.gr (8.12.9/8.12.9) with ESMTP id h3CMxsDL026458
	for <freebsd-questions@freebsd.org>;
	Sun, 13 Apr 2003 02:00:11 +0300 (EEST)
Received: from gothmog.gr (gothmog [127.0.0.1])
	by gothmog.gr (8.12.9/8.12.9) with ESMTP id h3CJq0XT003080
	for <freebsd-questions@freebsd.org>;
	Sat, 12 Apr 2003 22:52:00 +0300 (EEST)
	(envelope-from keramida@ceid.upatras.gr)
Received: (from giorgos@localhost)
	by gothmog.gr (8.12.9/8.12.9/Submit) id h3CJq0LQ003079
	for freebsd-questions@freebsd.org;
	Sat, 12 Apr 2003 22:52:00 +0300 (EEST)
	(envelope-from keramida@ceid.upatras.gr)
Date: Sat, 12 Apr 2003 22:52:00 +0300
From: Giorgos Keramidas <keramida@ceid.upatras.gr>
To: freebsd-questions@freebsd.org
Message-ID: <20030412195200.GE2501@gothmog.gr>
References: <200304120023.h3C0NtvN036040@server1.shellworld.net>
	<20030412053057.GB65034@gothmog.gr>
	<20030412134031.GA94973@jrpenn.demon.co.uk>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20030412134031.GA94973@jrpenn.demon.co.uk>
Subject: Re: Firewall Rules/connection troubles
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 12 Apr 2003 23:00:21 -0000

On 2003-04-12 14:40, Jeff Penn <jeff@jrpenn.demon.co.uk> wrote:
>On Sat, Apr 12, 2003 at 08:30:57AM +0300, Giorgos Keramidas wrote:
>>
>>   h. You're blocking fragments.  It's not always a good idea.
>
> Provided most rules use check-state, and the 'deny frag' rule follows
> the check-state rules, won't valid fragments be passed by dynamic rules?

No.  A fragment can not always match a check-state rule or a rule with
keep-state further down.  A fragment is allowed to have an offset and a
size, specifying what part of the original packet it covers.  Bearing in
mind that the IP packet header is 20 bytes (without options), and the
TCP header is also 20 bytes (also without options), any fragment after
the first 40 bytes does not include source & destination address/port
information.  It cannot be checked against the check-state rule and it
won't match a setup rule either.