Date: Thu, 29 Aug 2024 14:51:37 -0400 From: mike tancsa <mike@sentex.net> To: FreeBSD Net <freebsd-net@freebsd.org> Subject: dropping udp fragments with ipfw Message-ID: <790fcb38-db6c-41ce-8222-8146be5dbe3b@sentex.net>
next in thread | raw e-mail | index | archive | help
I was working on some firewall rules to drop large UDP fragment attacks and noticed there is no easy way to drop fragments based on port ? e.g. if someone sends a UDP packet of 1400 bytes, I can drop it with TARGET=192.168.1.1 ipfw add 5 deny log udp from any 53 to $TARGET But if that packet is say 2000 bytes and is fragmented, the fragment passes through. I have to add a subsequent rule ipfw add 10 deny log udp from any to $TARGET fragment But this would kill all UDP fragments. If the host has some other UDP application that needs to deal with fragmented packets, is there a way to get around that and only drop packets with a certain port in the first fragment ? ---Mike
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?790fcb38-db6c-41ce-8222-8146be5dbe3b>