Date: Thu, 29 Aug 2024 21:45:55 +0200 From: =?UTF-8?Q?Olivier_Cochard=2DLabb=C3=A9?= <olivier@freebsd.org> To: mike tancsa <mike@sentex.net> Cc: FreeBSD Net <freebsd-net@freebsd.org> Subject: Re: dropping udp fragments with ipfw Message-ID: <CA%2Bq%2BTcpj7OY0HpUuw7uDGzLQW_GUcXoNkAg2ACDJ65dK7ZDUjg@mail.gmail.com> In-Reply-To: <790fcb38-db6c-41ce-8222-8146be5dbe3b@sentex.net> References: <790fcb38-db6c-41ce-8222-8146be5dbe3b@sentex.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--000000000000cd3eba0620d7b9e8 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Thu, Aug 29, 2024 at 8:52=E2=80=AFPM mike tancsa <mike@sentex.net> wrote= : > But this would kill all UDP fragments. If the host has some other UDP > application that needs to deal with fragmented packets, is there a way > to get around that and only drop packets with a certain port in the > first fragment ? > > When a packet is fragmented, only the IP header (not the UDP header that includes the port number) is copied for all subsequent fragmented packets. To fix this behavior, you can instruct the firewall to reassemble the packet before performing UDP/TCP port filtering. Refer to the ipfw(4) man page on the "reass" keyword, which provides the following example: ipfw add reass all from any to any in I hope this helps! --000000000000cd3eba0620d7b9e8 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable <div dir=3D"ltr"><div dir=3D"ltr"><div class=3D"gmail_default" style=3D"fon= t-family:"courier new",monospace"><br></div></div><div class=3D"g= mail_quote"><div dir=3D"ltr" class=3D"gmail_attr">On Thu, Aug 29, 2024 at 8= :52=E2=80=AFPM mike tancsa <<a href=3D"mailto:mike@sentex.net">mike@sent= ex.net</a>> wrote:</div><blockquote class=3D"gmail_quote" style=3D"margi= n:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex= "> But this would kill all UDP fragments.=C2=A0 If the host has some other UDP= <br> application that needs to deal with fragmented packets, is there a way <br> to get around that and only drop packets with a certain port in the <br> first fragment ?<br><br></blockquote><br>When a packet is fragmented, only = the IP header (not the UDP header that includes the port number) is copied = for all subsequent fragmented packets.<br>To fix this behavior, you can ins= truct the firewall to reassemble the packet before performing UDP/TCP port = filtering.<br>Refer to the ipfw(4) man page on the "reass" keywor= d, which provides the following example:<br>ipfw add reass all from any to = any in<br><br><div>I hope this helps!=C2=A0</div></div></div> --000000000000cd3eba0620d7b9e8--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CA%2Bq%2BTcpj7OY0HpUuw7uDGzLQW_GUcXoNkAg2ACDJ65dK7ZDUjg>