From owner-freebsd-hackers  Tue Feb 10 14:35:33 1998
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id OAA00856
          for hackers-outgoing; Tue, 10 Feb 1998 14:35:33 -0800 (PST)
          (envelope-from owner-freebsd-hackers@FreeBSD.ORG)
Received: from cheops.anu.edu.au (avalon@cheops.anu.edu.au [150.203.76.24])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA00832
          for <freebsd-hackers@FreeBSD.ORG>; Tue, 10 Feb 1998 14:35:26 -0800 (PST)
          (envelope-from avalon@coombs.anu.edu.au)
Message-Id: <199802102235.OAA00832@hub.freebsd.org>
Received: by cheops.anu.edu.au
	(1.37.109.16/16.2) id AA106200116; Wed, 11 Feb 1998 09:35:16 +1100
From: Darren Reed <avalon@coombs.anu.edu.au>
Subject: Re: ipfw logs ports for fragments
To: archie@whistle.com (Archie Cobbs)
Date: Wed, 11 Feb 1998 09:35:16 +1100 (EDT)
Cc: nash@Mcs.Net, freebsd-hackers@FreeBSD.ORG
In-Reply-To: <199802101932.LAA02216@bubba.whistle.com> from "Archie Cobbs" at Feb 10, 98 11:32:30 am
X-Mailer: ELM [version 2.4 PL23]
Content-Type: text
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

This isn't rocket science any more...

In some mail from Archie Cobbs, sie said:
> 
> [ private email re short term fix to ipfw code, copying to hackers... ]
> 
> Something just bugs me about this whole thing. The bottom line is
> that you simply can't tell, given the available information, whether
> a rule that specifies port ranges and/or TCP flags should match a
> non-zero offset fragment. And even if you had the available information
> (ie, the first fragment), it's still unclear what the semantics of ipfw
> are supposed to be.
> 
> Does the sysadmin want us to correlate the fragment with the first
> fragment of that packet, then apply the rule iff it matches that
> zero-offset fragment?

That might be nice, but you need to keep a history of fragments for
that to work.

> Does the fact that the rule does not specify IP_FW_F_FRAG mean that
> the sysadmin did not intend this rule to apply to non-zero offset
> fragments?

No, it means they're not matching fragments inparticular.

> As a side note: in any case, we need to modify check_ipfw_struct()
> to disallow any rules which (a) have port ranges or TCP flags, and
> (b) have the IP_FW_F_FRAG flag set. Such rules simply don't make sense.

Yup.

> But what is the semantics of NOT specifying the IP_FW_F_FRAG flag?
> Does this mean the rule ONLY applies to zero-offset fragments?

No, it means you don't care about whether or not it is fragmented.

> PROBABLY NOT -- this would be different, unexpected behavoir. Plus
> everybody's firewalls would suddenly start leaking non-zero offset
> fragments, which would be harmless but silly. OK, let this be decided.

Huh ?

> Now the question is.. which exception to make?
> 
>  #1 Don't even TRY to match rules containing port ranges and/or flags
>     to non-zero offset fragments.

Correct.

>  #2 Match port range/flag rules to non-zero offset fragments by testing
>     the rule AS IF it did not contain the port range and/or flag
>     restrictions.

Wrong.

Darren

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe hackers" in the body of the message