From owner-freebsd-ipfw@FreeBSD.ORG Thu Apr 2 12:09:09 2009 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 67F821065673 for ; Thu, 2 Apr 2009 12:09:09 +0000 (UTC) (envelope-from p.pisati@oltrelinux.com) Received: from contactlab34-bk-3.contactlab.it (contactlab34-bk-3.contactlab.it [93.94.34.3]) by mx1.freebsd.org (Postfix) with ESMTP id E6F2E8FC14 for ; Thu, 2 Apr 2009 12:09:08 +0000 (UTC) (envelope-from p.pisati@oltrelinux.com) DKIM-Signature: v=1; a=rsa-sha1; d=contactlab.it; s=s768; c=simple/simple; q=dns/txt; i=@contactlab.it; t=1238674143; h=From:Subject:Date:To:MIME-Version:Content-Type; bh=NjkZmCd1b7xBq0uAqVV8ahvNg5g=; b=CRFK4Ka9zbge3R2Ve9xtzBG4EbQjRvglO3q3Qob4D3cOaUvVYtWdFxASSjkJ7+/j MKfNo5+xoBk0usSLpOsaW0+fdrRP2Q2YoLgO6mOeF1rSkzi70klPpptuSbzCVi54; Received: from [213.92.0.53] ([213.92.0.53:54825] helo=mail0.tomato.it) by vmta3.contactlab.it (envelope-from ) (ecelerity 2.2.2.37 r(28822M)) with ESMTP id 83/9E-11151-FDAA4D94; Thu, 02 Apr 2009 14:09:03 +0200 Received: from ferret.tomato.lan (fast.tomato.it [62.101.64.91]) by mail0.tomato.it (Postfix) with ESMTP id 9742A2845A; Thu, 2 Apr 2009 14:09:25 +0200 (CEST) Message-ID: <49D4AADC.30900@oltrelinux.com> Date: Thu, 02 Apr 2009 14:09:00 +0200 From: Paolo Pisati User-Agent: Thunderbird 2.0.0.19 (X11/20090226) MIME-Version: 1.0 To: Luigi Rizzo References: <200903132246.49159.dima_bsd@inbox.lv> <20090313214327.GA1675@onelab2.iet.unipi.it> <49BF61E7.7020305@FreeBSD.org> <49BFB9B2.9090909@oltrelinux.com> <20090317190123.GB89417@onelab2.iet.unipi.it> <49C01E08.9050709@oltrelinux.com> <20090317223511.GB95451@onelab2.iet.unipi.it> <49D49AEB.20701@oltrelinux.com> <20090402113231.GB6577@onelab2.iet.unipi.it> In-Reply-To: <20090402113231.GB6577@onelab2.iet.unipi.it> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-ipfw@FreeBSD.org, Dmitriy Demidov , Alex Dupre Subject: Re: keep-state rules inadequately handles big UDP packets or fragmented IP packets? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Apr 2009 12:09:09 -0000 Luigi Rizzo wrote: > Can you put a description in the manpage especially on the > assumptions and side effects of the reass option ? > > E.g. as i read it, > + you need to make sure that the fragments are not dropped before > the 'reass' (so you cannot rely on port numbers to decide > accept or deny). This is obvious but a very common mistake; > + reass silently queues the fragment if it does not reass, so it > opens up a bit of vulnerability. Again obvious, but people > won't realise if they don't see the code. > someone else already pointed out that i should mention net.inet.ip.maxfrag*, i'll come up with an updated man page later today. -- bye, P.