From nobody Thu Aug 29 19:45:55 2024 X-Original-To: freebsd-net@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WvsGS0xSrz52VtC for ; Thu, 29 Aug 2024 19:46:08 +0000 (UTC) (envelope-from olivier@freebsd.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R10" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4WvsGS0Qmnz49Vj for ; Thu, 29 Aug 2024 19:46:08 +0000 (UTC) (envelope-from olivier@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1724960768; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=w8fKVVhxXlsOpeA/VzMgdoRV7oag7z/v/KAG0K3RffY=; b=ZGLKSNRvORJ93cNG3jya4Eph8PJYf/wWTR7fk+pxzhwF8WLAgqIIQkj6YZtvRjG7ruKbI2 8Tb+Uz6h+GLfZM9Gs+aqtr9thJS+BbM8PCnqN4IEE5tHSTV3wVPGXFK/CixL1coF/EwFvu a3jULs26G/QTBkS6V89iu0f3Wd/sQkv6Z++jstCQynEXnH45ea9uvjESvgJ0tcXHPnHWqh 1iSMfaSjJXFLtXxaobKR/japkLG9qTF5CBi+aL2oiM8uhnhyi/838Jkm88mo1mcXnnddir QTiJMJRJt/YJ7mzXONRrH+8bp+6BNcFkuxtMcHlvBpF8e8H3HAkx/EgG1MOWTw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1724960768; a=rsa-sha256; cv=none; b=ScvsGYmWSAFnWNgm4rSreWPXfHWnNhW/7gh28I/Mxr2v8kq1C6Wvj2xmipqNpgspUzhfNd +CYm6FJ2aQ9UgRaEkgvONnOeByit7rkU30tUQdyAeSZuf+WQWxgTLgaJ2d0xzMYOrQDayH pdj+lDMydcToF8B9sLdKe6h6g48UaxqxuIuiOFeWwbmXNCUMF5XxbrSiXYXe0OCOr6o1yZ fs8KXUbTuDYdiUy1h0MTLLYdRCEzWw+4f2U/1RVf/kQRKLhYIYijTfnnmLUne6VV6Zy+qV 1Pzlfkt6ZXu6JhDWyy5+VLVZy2sluNWL8PC+/sjNGXYvyFCd+IWctIvQAbi8MA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1724960768; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=w8fKVVhxXlsOpeA/VzMgdoRV7oag7z/v/KAG0K3RffY=; b=WZdiY34FCMQsryYYz6HBx6Brz6iXWgROmGLYVYbx8QKzHM5FM4Zgty1gmbuKVOcZ6QRfLp tSqZNjMX0djedznSIviQizs8+AfUN3NVJHEp6ZTvjMq2+EVpvx6gfx2adZFtcVd0T5qlg6 IizF+UBDc+6XnwEUjpMmFpDvoSA7wItVWXHrvjKOPbjdGmWPoVgtV1QKXmzx3hlni3K8qF p+icFtbo2TsFN5aMSmxnCKx7ycoUBVtnNhTs4C1xNPxJPgVKR3s/qi5G5c98z4glAoyMU9 XW5zaXCeJVVI2hlwViQYVm1Ppw4opYxHsAs0K7r/hlYET8MO57l8J4+BY/fckA== Received: from mail-qv1-f49.google.com (mail-qv1-f49.google.com [209.85.219.49]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "WR4" (verified OK)) (Authenticated sender: olivier/mail) by smtp.freebsd.org (Postfix) with ESMTPSA id 4WvsGR71CHzTQQ for ; Thu, 29 Aug 2024 19:46:07 +0000 (UTC) (envelope-from olivier@freebsd.org) Received: by mail-qv1-f49.google.com with SMTP id 6a1803df08f44-6bd6f2c9d52so5714876d6.3 for ; Thu, 29 Aug 2024 12:46:07 -0700 (PDT) X-Gm-Message-State: AOJu0YzokDR10kgCo/MbEpt/Bl1gJzJUIRm0FOPPsMfbi7ysIgPSpzZ6 WNhNwmr6iipNzIS+gml79PgLabJS/u/l/+OSTdbOPaoJ2L6NT2Q1ZqN5cVYsdYjGG5pn2CmSWgE gqOyM2JqYMgWCxbw/ajtnGyEdSHo= X-Google-Smtp-Source: AGHT+IGAcm/m8cwTiFiA1WpJhAakBtDv//YLFur4s9JdK9NEG3JESz+8cOnwYbW27VXwEpdam225p6DZDzh2Y9wfGjs= X-Received: by 2002:a05:6214:5d8d:b0:6bf:80e5:debd with SMTP id 6a1803df08f44-6c33e62d2b6mr44036726d6.29.1724960767552; Thu, 29 Aug 2024 12:46:07 -0700 (PDT) List-Id: Networking and TCP/IP with FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-net List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-net@FreeBSD.org MIME-Version: 1.0 References: <790fcb38-db6c-41ce-8222-8146be5dbe3b@sentex.net> In-Reply-To: <790fcb38-db6c-41ce-8222-8146be5dbe3b@sentex.net> From: =?UTF-8?Q?Olivier_Cochard=2DLabb=C3=A9?= Date: Thu, 29 Aug 2024 21:45:55 +0200 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: dropping udp fragments with ipfw To: mike tancsa Cc: FreeBSD Net Content-Type: multipart/alternative; boundary="000000000000cd3eba0620d7b9e8" --000000000000cd3eba0620d7b9e8 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Thu, Aug 29, 2024 at 8:52=E2=80=AFPM mike tancsa wrote= : > But this would kill all UDP fragments. If the host has some other UDP > application that needs to deal with fragmented packets, is there a way > to get around that and only drop packets with a certain port in the > first fragment ? > > When a packet is fragmented, only the IP header (not the UDP header that includes the port number) is copied for all subsequent fragmented packets. To fix this behavior, you can instruct the firewall to reassemble the packet before performing UDP/TCP port filtering. Refer to the ipfw(4) man page on the "reass" keyword, which provides the following example: ipfw add reass all from any to any in I hope this helps! --000000000000cd3eba0620d7b9e8 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable

On Thu, Aug 29, 2024 at 8= :52=E2=80=AFPM mike tancsa <mike@sent= ex.net> wrote: