From owner-freebsd-hackers  Tue Feb 10 19:01:45 1998
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id TAA13085
          for hackers-outgoing; Tue, 10 Feb 1998 19:01:45 -0800 (PST)
          (envelope-from owner-freebsd-hackers@FreeBSD.ORG)
Received: from gaia.coppe.ufrj.br (cisigw.coppe.ufrj.br [146.164.5.200])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id TAA13061
          for <freebsd-hackers@FreeBSD.ORG>; Tue, 10 Feb 1998 19:01:32 -0800 (PST)
          (envelope-from jonny@coppe.ufrj.br)
Received: (from jonny@localhost)
	by gaia.coppe.ufrj.br (8.8.8/8.8.8) id BAA19294;
	Wed, 11 Feb 1998 01:01:11 -0200 (EDT)
	(envelope-from jonny)
From: Joao Carlos Mendes Luis <jonny@coppe.ufrj.br>
Message-Id: <199802110301.BAA19294@gaia.coppe.ufrj.br>
Subject: Re: ipfw logs ports for fragments
In-Reply-To: <199802102235.OAA00832@hub.freebsd.org> from Darren Reed at "Feb 11, 98 09:35:16 am"
To: avalon@coombs.anu.edu.au (Darren Reed)
Date: Wed, 11 Feb 1998 01:01:11 -0200 (EDT)
Cc: archie@whistle.com, nash@Mcs.Net, freebsd-hackers@FreeBSD.ORG
X-Mailer: ELM [version 2.4ME+ PL32 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

#define quoting(Darren Reed)
// > Something just bugs me about this whole thing. The bottom line is
// > that you simply can't tell, given the available information, whether
// > a rule that specifies port ranges and/or TCP flags should match a
// > non-zero offset fragment. And even if you had the available information
// > (ie, the first fragment), it's still unclear what the semantics of ipfw
// > are supposed to be.
// > 
// > Does the sysadmin want us to correlate the fragment with the first
// > fragment of that packet, then apply the rule iff it matches that
// > zero-offset fragment?
// 
// That might be nice, but you need to keep a history of fragments for
// that to work.

Or you activate a still-to-be-released-by-some-good-soul sysctl meant
to force reassembly of every incoming packet before passing through
the firewall, which is my ONLY connection to the internet, so there
could not be any chance of packets taking different routes to the
destination. :)

After all why would somebody want an alternative route bypassing a
firewall ?  If, in any case, somebody does this, just leave the
sysctl at it's default value.

					Jonny

--
Joao Carlos Mendes Luis			jonny@gta.ufrj.br
+55 21 290-4698				jonny@coppe.ufrj.br
Universidade Federal do Rio de Janeiro	UFRJ/COPPE/CISI
PGP fingerprint: 29 C0 50 B9 B6 3E 58 F2  83 5F E3 26 BF 0F EA 67

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe hackers" in the body of the message