Date: Sun, 15 Mar 2009 13:40:13 +0300 From: Sergey Matveychuk <sem@FreeBSD.org> To: Luigi Rizzo <rizzo@iet.unipi.it> Cc: freebsd-ipfw@freebsd.org, Dmitriy Demidov <dima_bsd@inbox.lv> Subject: Re: keep-state rules inadequately handles big UDP packets or fragmented IP packets? Message-ID: <49BCDB0D.6070608@FreeBSD.org> In-Reply-To: <20090315100206.GA63505@onelab2.iet.unipi.it> References: <200903132246.49159.dima_bsd@inbox.lv> <49BBB94A.7040208@FreeBSD.org> <200903142031.53326.dima_bsd@inbox.lv> <49BCCC9D.30109@FreeBSD.org> <20090315100206.GA63505@onelab2.iet.unipi.it>
next in thread | previous in thread | raw e-mail | index | archive | help
Luigi Rizzo wrote: > On Sun, Mar 15, 2009 at 12:38:37PM +0300, Sergey Matveychuk wrote: >> Dmitriy Demidov wrote: >>> Hi Luigi. Thank you for answer. >>> It is a big "surprise" for me that reassembling of IP datagrams is done >>> not *before* they go into firewall, but *after* :( >> But what's wrong with it? A fragment got from net, pass firewall and >> store. After all fragments we got, OS reassembly a packet and pass it >> through firewall again. > > Currently we don't have a way to re-invoke the firewall after > reassembly. In fact, we should probably provide hooks before and > after reassembly, and use them in a configurable way. It sounds like a security issue. We can construct any packet that pass through firewall? -- Dixi. Sem.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?49BCDB0D.6070608>