Fragmented Packet Reassembly and IPFW2
Julian Elischer
julian at elischer.org
Tue Nov 13 15:09:31 PST 2007
Curby wrote:
> Hi, this is slightly off-topic as it relates to IPFW2 in Mac OS X (as
> of Tiger, 10.4.x).
>
> I've read that when a FreeBSD machine running IPFW2 receives a
> fragmented TCP packet (and let's say that the machine itself is the
> intended destination), the packet is reassembled before it gets to
> IPFW2, and IPFW2 sees a single TCP packet. Basically, the (first)
> question is whether this is the case in OS X.
I don't believe that happens in FreeBSD.. where did you hear that?
*adds looking at the code to 10,000 item list of things to do*
>
> Next, and especially if reassembly occurs before the firewall, what is
> the point of the frag flag in a rule body, e.g.:
>
> add 04010 deny log all from any to any frag in
>
> Question 2 in a nutshell: what's the point of "frag" if frags are
> already being reassembled? Is this meant to reject incoming frags
> that aren't reassembled by the kernel (i.e. crap traffic)? I'm
> actually using the exact rule above in my laptop firewall
> configuration, and the only time I've seen it triggering is at a
> conference's wifi network, where other clients would be sending
> multicast frags to 224.0.0.251. (If that's crap traffic, why would it
> be rampant at that conference?) Thanks!
> _______________________________________________
> freebsd-ipfw at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe at freebsd.org"
More information about the freebsd-ipfw
mailing list