m***@gmail.com
2013-08-25 11:27:19 UTC
Hello,
I am trying and so far failing to understand how to setup PF to drop some f=
ragments and reassemble others.
So far as I can tell fragment reassembly is an all or nothing choice with t=
he set reassemble option. If it is specified how to do this on a per rule b=
asis I have missed this.=20
I know that some packets (or packet fragments) should not pass through the =
filter and have no interest in reassembling them. For example
martians =3D "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \
0.0.0.0/8, 240.0.0.0/4 }"
block drop in quick on $ext_if from $martians to any
Other packet fragments I am very interested in reassembling and scrubbing b=
efore forwarding to servers. For example
match in all scrub (max-mss 1440 min-ttl 4 reassemble tcp)
pass proto tcp from any to $webserver port $webports=20
pass proto tcp from any to $emailserver port $email=20
So far I can either do the first part and drop the fragments with set reass=
embly off but then not reassemble traffic to the servers or have reassemble=
on and store fragments unnecessarily. Of course some fragments may have to=
be stored until enough information is available to see the TCP/UDP header =
to determine which rule the reassembled packet matches.
I am slightly concerned on a pathological or malicious case where PFs fragm=
ent store can be filled by traffic that should never be accepted and possib=
ly from spoofed addresses. It seems similar to an attack reported against o=
ther systems. for example=20
http://www.checkpoint.com/defense/advisories/public/2004/cpai-2004-16.html
Is it possible to reassemble so fragments and not others or is the best app=
roach to deploy a screening router/another PF to filter but not reassemble =
in addition to the PF reassembling and scrubbing?
Regard
Mark
I am trying and so far failing to understand how to setup PF to drop some f=
ragments and reassemble others.
So far as I can tell fragment reassembly is an all or nothing choice with t=
he set reassemble option. If it is specified how to do this on a per rule b=
asis I have missed this.=20
I know that some packets (or packet fragments) should not pass through the =
filter and have no interest in reassembling them. For example
martians =3D "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \
0.0.0.0/8, 240.0.0.0/4 }"
block drop in quick on $ext_if from $martians to any
Other packet fragments I am very interested in reassembling and scrubbing b=
efore forwarding to servers. For example
match in all scrub (max-mss 1440 min-ttl 4 reassemble tcp)
pass proto tcp from any to $webserver port $webports=20
pass proto tcp from any to $emailserver port $email=20
So far I can either do the first part and drop the fragments with set reass=
embly off but then not reassemble traffic to the servers or have reassemble=
on and store fragments unnecessarily. Of course some fragments may have to=
be stored until enough information is available to see the TCP/UDP header =
to determine which rule the reassembled packet matches.
I am slightly concerned on a pathological or malicious case where PFs fragm=
ent store can be filled by traffic that should never be accepted and possib=
ly from spoofed addresses. It seems similar to an attack reported against o=
ther systems. for example=20
http://www.checkpoint.com/defense/advisories/public/2004/cpai-2004-16.html
Is it possible to reassemble so fragments and not others or is the best app=
roach to deploy a screening router/another PF to filter but not reassemble =
in addition to the PF reassembling and scrubbing?
Regard
Mark