From owner-freebsd-hackers  Tue Feb 10 14:46:20 1998
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id OAA02726
          for hackers-outgoing; Tue, 10 Feb 1998 14:46:20 -0800 (PST)
          (envelope-from owner-freebsd-hackers@FreeBSD.ORG)
Received: from whistle.com (s205m131.whistle.com [207.76.205.131])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA02642
          for <freebsd-hackers@freebsd.org>; Tue, 10 Feb 1998 14:46:09 -0800 (PST)
          (envelope-from archie@whistle.com)
Received: (from smap@localhost) by whistle.com (8.7.5/8.6.12) id OAA10723; Tue, 10 Feb 1998 14:45:38 -0800 (PST)
Received: from bubba.whistle.com(207.76.205.7) by whistle.com via smap (V1.3)
	id sma010721; Tue Feb 10 14:45:33 1998
Received: (from archie@localhost) by bubba.whistle.com (8.8.7/8.6.12) id OAA05680; Tue, 10 Feb 1998 14:45:32 -0800 (PST)
From: Archie Cobbs <archie@whistle.com>
Message-Id: <199802102245.OAA05680@bubba.whistle.com>
Subject: Re: ipfw logs ports for fragments
In-Reply-To: <199802102235.OAA00832@hub.freebsd.org> from Darren Reed at "Feb 11, 98 09:35:16 am"
To: avalon@coombs.anu.edu.au (Darren Reed)
Date: Tue, 10 Feb 1998 14:45:32 -0800 (PST)
Cc: nash@Mcs.Net, freebsd-hackers@FreeBSD.ORG
X-Mailer: ELM [version 2.4ME+ PL31 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

Darren Reed writes:
> > Does the fact that the rule does not specify IP_FW_F_FRAG mean that
> > the sysadmin did not intend this rule to apply to non-zero offset
> > fragments?
> 
> No, it means they're not matching fragments inparticular.

Right- this make the most sense I think. No IP_FW_F_FRAG means it's
a "don't care".

> > But what is the semantics of NOT specifying the IP_FW_F_FRAG flag?
> > Does this mean the rule ONLY applies to zero-offset fragments?
> 
> No, it means you don't care about whether or not it is fragmented.

Right.

> > PROBABLY NOT -- this would be different, unexpected behavoir. Plus
> > everybody's firewalls would suddenly start leaking non-zero offset
> > fragments, which would be harmless but silly. OK, let this be decided.
> 
> Huh ?

What I meant was that the answer to the question ``Does this mean the
rule ONLY applies to zero-offset fragments?'' is probably NOT. Because
if we change the behavior to do this, suddenly a bunch of rules will
change their semantics (ignore my confusing example).

> > Now the question is.. which exception to make?
> > 
> >  #1 Don't even TRY to match rules containing port ranges and/or flags
> >     to non-zero offset fragments.
> 
> Correct.

OK with me -- as long as everyone realized that this is going to change
the current behavior.

> >  #2 Match port range/flag rules to non-zero offset fragments by testing
> >     the rule AS IF it did not contain the port range and/or flag
> >     restrictions.
> 
> Wrong.

That's what we currently do.

Whether #1 or #2 -- the important thing is to document it.

-Archie

___________________________________________________________________________
Archie Cobbs   *   Whistle Communications, Inc.  *   http://www.whistle.com

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe hackers" in the body of the message