Date: Sun, 8 Feb 1998 23:15:57 -0700 (MST) From: Marc Slemko <marcs@znep.com> To: Archie Cobbs <archie@whistle.com> Cc: jonny@coppe.ufrj.br, hackers@freebsd.org Subject: Re: ipfw logs ports for fragments Message-ID: <Pine.BSF.3.95.980208231009.18733W-100000@alive.znep.com> In-Reply-To: <199802090600.WAA12310@bubba.whistle.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 8 Feb 1998, Archie Cobbs wrote: > Marc Slemko writes: > > If you don't explicitly tell ipfw to pass frags, it will not. That will > > break some things, but is the safest way. > > This is not correct.. ipfw will always block fragments whose offset > is one (only seen in attempts to subvert firewalls) but not ordinary > fragments... that would be a serious problem. Ok, let me clarify that statement. First, ipfw always blocks certain types of fragments that are used only to bypass firewalls. Second, it will block any fragment that _could_ match any deny rule even if it has incomplete information so it doesn't know that it _does_ match the rule. Since the tcp header is normally only in the first fragment, if you block access to a specific port then ipfw can't know if subsequent fragments are to that port or not so it blocks them. You need to add an explicit rule to allow it to pass such fragments if the risk is acceptable to you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.95.980208231009.18733W-100000>