Re: dropping udp fragments with ipfw

Reply: mike tancsa : "Re: dropping udp fragments with ipfw"
In reply to: mike tancsa : "dropping udp fragments with ipfw"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Olivier_Cochard-Labbé <olivier_at_freebsd.org>
Date: Thu, 29 Aug 2024 19:45:55 UTC

On Thu, Aug 29, 2024 at 8:52 PM mike tancsa <mike@sentex.net> wrote:

> But this would kill all UDP fragments.  If the host has some other UDP
> application that needs to deal with fragmented packets, is there a way
> to get around that and only drop packets with a certain port in the
> first fragment ?
>
>
When a packet is fragmented, only the IP header (not the UDP header that
includes the port number) is copied for all subsequent fragmented packets.
To fix this behavior, you can instruct the firewall to reassemble the
packet before performing UDP/TCP port filtering.
Refer to the ipfw(4) man page on the "reass" keyword, which provides the
following example:
ipfw add reass all from any to any in

I hope this helps!