14.11.07 @ 12:45 Curby wrote:
"The ip_input() routine in the kernel then dequeues the packet, performs sanity checks on the packet and determines the destination for the packet. If the destination is the local computer, the kernel will perform packet reassembly. "
Yes, but this happens AFTER the firewall. And only for local computer, not transit traffic.
from http://usenix.net/events/bsdcon02/full_papers/lidl/lidl_html/index.html
This is article about BSD/OS ipfw, not FreeBSD's ipfw - they're very different.
Also, this poster is less sure but suggests that this might happen: http://osdir.com/ml/freebsd.isp/2003-02/msg00091.html
He's wrong.
I also think that Linux iptables only sees reassembled packets (at least some of the time, e.g. when it is legitimate traffic destined for the host itself), so this isn't altogether wild and crazy.
I don't know about Linux' behaviour in this case (and anyway, it's irrelevant to FreeBSD).
If in fact reassembly does not happen, I should remove that rule as frags will likely not match using a check-state rule because they lack tcp/udp header information. Is there a way in ipfw to allow frags that claim to be related to a known-good first frag but drop others? Something like check-state but for fragments 1 and above, in other words.
No, that needs reassembly. You can try using divert socket as the first rule on the input, though, as packets are get reassembled before diverting. You need to put something listening on the divert socket and echoing packets back. It can be ng_ksocket + ng_echo, try to experiment with them. Or use pf scrub instead of ipfw.
-- WBR, Vadim Goncharov _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "[EMAIL PROTECTED]"
