Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 29 Aug 2024 21:45:55 +0200
From:      =?UTF-8?Q?Olivier_Cochard=2DLabb=C3=A9?= <olivier@freebsd.org>
To:        mike tancsa <mike@sentex.net>
Cc:        FreeBSD Net <freebsd-net@freebsd.org>
Subject:   Re: dropping udp fragments with ipfw
Message-ID:  <CA%2Bq%2BTcpj7OY0HpUuw7uDGzLQW_GUcXoNkAg2ACDJ65dK7ZDUjg@mail.gmail.com>
In-Reply-To: <790fcb38-db6c-41ce-8222-8146be5dbe3b@sentex.net>
index | next in thread | previous in thread | raw e-mail 

[-- Attachment #1 --]
On Thu, Aug 29, 2024 at 8:52 PM mike tancsa <mike@sentex.net> wrote:

> But this would kill all UDP fragments.  If the host has some other UDP
> application that needs to deal with fragmented packets, is there a way
> to get around that and only drop packets with a certain port in the
> first fragment ?
>
>
When a packet is fragmented, only the IP header (not the UDP header that
includes the port number) is copied for all subsequent fragmented packets.
To fix this behavior, you can instruct the firewall to reassemble the
packet before performing UDP/TCP port filtering.
Refer to the ipfw(4) man page on the "reass" keyword, which provides the
following example:
ipfw add reass all from any to any in

I hope this helps!

[-- Attachment #2 --]
<div dir="ltr"><div dir="ltr"><div class="gmail_default" style="font-family:&quot;courier new&quot;,monospace"><br></div></div><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Aug 29, 2024 at 8:52 PM mike tancsa &lt;<a href="mailto:mike@sentex.net">mike@sentex.net</a>&gt; wrote:</div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
But this would kill all UDP fragments.  If the host has some other UDP <br>
application that needs to deal with fragmented packets, is there a way <br>
to get around that and only drop packets with a certain port in the <br>
first fragment ?<br><br></blockquote><br>When a packet is fragmented, only the IP header (not the UDP header that includes the port number) is copied for all subsequent fragmented packets.<br>To fix this behavior, you can instruct the firewall to reassemble the packet before performing UDP/TCP port filtering.<br>Refer to the ipfw(4) man page on the &quot;reass&quot; keyword, which provides the following example:<br>ipfw add reass all from any to any in<br><br><div>I hope this helps! </div></div></div>
home | help

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CA%2Bq%2BTcpj7OY0HpUuw7uDGzLQW_GUcXoNkAg2ACDJ65dK7ZDUjg>