Subject: how to keep state AND frags w/ ipfilter4?
To: None <firstname.lastname@example.org>
From: Arto Selonen <email@example.com>
Date: 09/24/2004 17:39:24
Not sure if this is yet another bug in ipfilter4, or if I just failed to
read/understand/use correctly the documentation regarding the issue.
Previously (=ipfilter 3), I had a rule like this:
pass in quick proto tcp from any to a.b.c.d/32 port = 88 flags S keep frags keep state group 12345
Without the "keep frags" part, fragmented traffic would not match against
the state (and eventually get blocked), but with it things seemed to work
When I moved to ipfilter4 (-current from ~20040922), the rule produces
the following error:
# /etc/rc.d/ipfilter reload
Reloading ipfilter rules.
syntax error error at "keep", line 517
Yes, that is "error error".
Strictly speaking, the ipf.conf man page has "always" said:
keep = "keep" "state" | "keep" "frags"
So, only one of them should be used per rule?
Then how do I create a rule (set) that does not allow fragments
through unless there is a matching state entry (I guess to match against
any state entry reassembly should be done).
I could write:
pass in quick proto tcp from any to a.b.c.d/32 port = 88 flags S with frag keep state group 12345
but I think that would only match fragmented SYN packets (or the part(s)
that could be recognized as such)?
#######======------ http://www.selonen.org/arto/ --------========########
Everstinkuja 5 B 35 Don't mind doing it.
FIN-02600 Espoo firstname.lastname@example.org Don't mind not doing it.
Finland tel +358 50 560 4826 Don't know anything about it.