Subject: how to keep state AND frags w/ ipfilter4?
To: None <>
From: Arto Selonen <>
List: current-users
Date: 09/24/2004 17:39:24

Not sure if this is yet another bug in ipfilter4, or if I just failed to
read/understand/use correctly the documentation regarding the issue.

Previously (=ipfilter 3), I had a rule like this:

pass in quick proto tcp from any to a.b.c.d/32 port = 88 flags S keep frags keep state group 12345

Without the "keep frags" part, fragmented traffic would not match against
the state (and eventually get blocked), but with it things seemed to work
without problems.

When I moved to ipfilter4 (-current from ~20040922), the rule produces
the following error:

# /etc/rc.d/ipfilter reload
Reloading ipfilter rules.
syntax error error at "keep", line 517

Yes, that is "error error".
Strictly speaking, the ipf.conf man page has "always" said:

	keep = "keep" "state" | "keep" "frags"

So, only one of them should be used per rule?
Then how do I create a rule (set) that does not allow fragments
through unless there is a matching state entry (I guess to match against
any state entry reassembly should be done).

I could write:

pass in quick proto tcp from any to a.b.c.d/32 port = 88 flags S with frag keep state group 12345

but I think that would only match fragmented SYN packets (or the part(s)
that could be recognized as such)?

#######======------  --------========########
Everstinkuja 5 B 35                               Don't mind doing it.
FIN-02600 Espoo         Don't mind not doing it.
Finland              tel +358 50 560 4826     Don't know anything about it.