Date: Wed, 11 Feb 1998 09:35:16 +1100 (EDT) From: Darren Reed <avalon@coombs.anu.edu.au> To: archie@whistle.com (Archie Cobbs) Cc: nash@Mcs.Net, freebsd-hackers@FreeBSD.ORG Subject: Re: ipfw logs ports for fragments Message-ID: <199802102235.OAA00832@hub.freebsd.org> In-Reply-To: <199802101932.LAA02216@bubba.whistle.com> from "Archie Cobbs" at Feb 10, 98 11:32:30 am
next in thread | previous in thread | raw e-mail | index | archive | help
This isn't rocket science any more... In some mail from Archie Cobbs, sie said: > > [ private email re short term fix to ipfw code, copying to hackers... ] > > Something just bugs me about this whole thing. The bottom line is > that you simply can't tell, given the available information, whether > a rule that specifies port ranges and/or TCP flags should match a > non-zero offset fragment. And even if you had the available information > (ie, the first fragment), it's still unclear what the semantics of ipfw > are supposed to be. > > Does the sysadmin want us to correlate the fragment with the first > fragment of that packet, then apply the rule iff it matches that > zero-offset fragment? That might be nice, but you need to keep a history of fragments for that to work. > Does the fact that the rule does not specify IP_FW_F_FRAG mean that > the sysadmin did not intend this rule to apply to non-zero offset > fragments? No, it means they're not matching fragments inparticular. > As a side note: in any case, we need to modify check_ipfw_struct() > to disallow any rules which (a) have port ranges or TCP flags, and > (b) have the IP_FW_F_FRAG flag set. Such rules simply don't make sense. Yup. > But what is the semantics of NOT specifying the IP_FW_F_FRAG flag? > Does this mean the rule ONLY applies to zero-offset fragments? No, it means you don't care about whether or not it is fragmented. > PROBABLY NOT -- this would be different, unexpected behavoir. Plus > everybody's firewalls would suddenly start leaking non-zero offset > fragments, which would be harmless but silly. OK, let this be decided. Huh ? > Now the question is.. which exception to make? > > #1 Don't even TRY to match rules containing port ranges and/or flags > to non-zero offset fragments. Correct. > #2 Match port range/flag rules to non-zero offset fragments by testing > the rule AS IF it did not contain the port range and/or flag > restrictions. Wrong. Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199802102235.OAA00832>