Re: dropping udp fragments with ipfw

In reply to: mike tancsa : "dropping udp fragments with ipfw"
Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Paul Vixie <paul_at_redbarn.org>
Date: Mon, 02 Sep 2024 06:53:55 UTC
with "add pass udp" one creates a rule that permits initial fragments of a 
datagram, or unfragmented datagram, to pass. if this doesn't happen, then no 
subsequent fragment will matter even if allowed through -- because there will 
be no endpoint state to allow those fragments to be reassembled. so:

add     allow   ip      from any to any frag

works pretty well. per ipfw(8), the "frag" option means non-initial fragments:

             Fragmented packets which have a non-zero offset (i.e., not the
             first fragment) will never match a rule which has one or more
             port specifications.  See the frag option for details on matching
             fragmented packets.

and:

     frag spec
             Matches IPv4 packets whose ip_off field contains the comma
             separated list of IPv4 fragmentation options specified in spec.
             The recognized options are: df (don't fragment), mf (more
             fragments), rf (reserved fragment bit) offset (non-zero fragment
             offset).  The absence of a particular options may be denoted with
             a ‘!’.

             Empty list of options defaults to matching on non-zero fragment
             offset.  Such rule would match all not the first fragment
             datagrams, both IPv4 and IPv6.  This is a backward compatibility
             with older rulesets.

i won't use "reass" on a firewall for the same reasons i don't use LRO:

> LRO should not operate on machines acting as routers, as it breaks the end-
to-end principle and can significantly impact performance.[13][14]

(https://en.wikipedia.org/wiki/TCP_offload_engine#Large_receive_offload)

if your question is about endpoint ipfw rather than IP firewall ipfw, reass is 
fine. if what you want to do is drop large UDP attacks you probably do not 
care whether fragments are involved and you should be looking at "pipe" and 
"queue" from dummynet(4). if you really want to send only non-initial 
fragments to some special pipe or queue you can do that, of course.

-- 
P Vixie

On Thursday, August 29, 2024 11:51:37 AM PDT mike tancsa wrote:
> I was working on some firewall rules to drop large UDP fragment attacks
> and noticed there is no easy way to drop fragments based on port ? e.g.
> if someone sends a UDP packet of 1400 bytes, I can drop it with
> 
> TARGET=192.168.1.1
> 
> ipfw add 5 deny log udp from any 53 to $TARGET
> 
> But if that packet is say 2000 bytes and is fragmented, the fragment
> passes through. I have to add a subsequent rule
> 
> ipfw add 10 deny log udp from any to $TARGET fragment
> 
> But this would kill all UDP fragments.  If the host has some other UDP
> application that needs to deal with fragmented packets, is there a way
> to get around that and only drop packets with a certain port in the
> first fragment ?
> 
>      ---Mike