Date: Wed, 11 Feb 1998 01:01:11 -0200 (EDT) From: Joao Carlos Mendes Luis <jonny@coppe.ufrj.br> To: avalon@coombs.anu.edu.au (Darren Reed) Cc: archie@whistle.com, nash@Mcs.Net, freebsd-hackers@FreeBSD.ORG Subject: Re: ipfw logs ports for fragments Message-ID: <199802110301.BAA19294@gaia.coppe.ufrj.br> In-Reply-To: <199802102235.OAA00832@hub.freebsd.org> from Darren Reed at "Feb 11, 98 09:35:16 am"
next in thread | previous in thread | raw e-mail | index | archive | help
#define quoting(Darren Reed) // > Something just bugs me about this whole thing. The bottom line is // > that you simply can't tell, given the available information, whether // > a rule that specifies port ranges and/or TCP flags should match a // > non-zero offset fragment. And even if you had the available information // > (ie, the first fragment), it's still unclear what the semantics of ipfw // > are supposed to be. // > // > Does the sysadmin want us to correlate the fragment with the first // > fragment of that packet, then apply the rule iff it matches that // > zero-offset fragment? // // That might be nice, but you need to keep a history of fragments for // that to work. Or you activate a still-to-be-released-by-some-good-soul sysctl meant to force reassembly of every incoming packet before passing through the firewall, which is my ONLY connection to the internet, so there could not be any chance of packets taking different routes to the destination. :) After all why would somebody want an alternative route bypassing a firewall ? If, in any case, somebody does this, just leave the sysctl at it's default value. Jonny -- Joao Carlos Mendes Luis jonny@gta.ufrj.br +55 21 290-4698 jonny@coppe.ufrj.br Universidade Federal do Rio de Janeiro UFRJ/COPPE/CISI PGP fingerprint: 29 C0 50 B9 B6 3E 58 F2 83 5F E3 26 BF 0F EA 67 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199802110301.BAA19294>