From owner-freebsd-ipfw@FreeBSD.ORG Tue Mar 17 15:12:42 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0E6C91065672 for ; Tue, 17 Mar 2009 15:12:42 +0000 (UTC) (envelope-from p.pisati@oltrelinux.com) Received: from mail0.tomato.it (mail0.tomato.it [213.92.0.53]) by mx1.freebsd.org (Postfix) with SMTP id 995178FC15 for ; Tue, 17 Mar 2009 15:12:31 +0000 (UTC) (envelope-from p.pisati@oltrelinux.com) Received: from ferret.tomato.lan (fast.tomato.it [62.101.64.91]) by mail0.tomato.it (Postfix) with ESMTP id 3982228423; Tue, 17 Mar 2009 15:57:13 +0100 (CET) Message-ID: <49BFB9B2.9090909@oltrelinux.com> Date: Tue, 17 Mar 2009 15:54:42 +0100 From: Paolo Pisati User-Agent: Thunderbird 2.0.0.16 (X11/20080815) MIME-Version: 1.0 To: Alex Dupre References: <200903132246.49159.dima_bsd@inbox.lv> <20090313214327.GA1675@onelab2.iet.unipi.it> <49BF61E7.7020305@FreeBSD.org> In-Reply-To: <49BF61E7.7020305@FreeBSD.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-ipfw@freebsd.org, Dmitriy Demidov , Luigi Rizzo Subject: Re: keep-state rules inadequately handles big UDP packets or fragmented IP packets? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Mar 2009 15:12:42 -0000 Alex Dupre wrote: > Luigi Rizzo ha scritto: >> it is not related to dynamic rules, but to the fact that >> that the firewall is called before reassembling packets. >> The info (port numbers especially) is not available >> in the fragments so the firewall cannot do anything. >> The only solution would be to call the firewall >> after reassembly. I am not sure if there is any work in progress >> for that. > > FWIW pf has "traffic normalization" feature ("scrub" keyword), that > reassembles packets before inspection. Unfortunately, it works with > IPv4 packets, but lacks IPv6 support. > FYI i have a patch for ipfw nat that reassemble a packet before nat[*], but if the idea of an explicit packet reassembly action sounds good, i could move the code over there. [*] actually the patch is really simple, it's just a call to ip_reass() with some glue code, but nonetheless it could be used more globally. -- bye, P.