On 21 Feb 2021, at 0:02, Doug Hardie wrote:
On 20 February 2021, at 04:13, Kristof Provost <k...@freebsd.org>
wrote:
If you don’t have scrub fragment reassemble set then you have to
include something like pass log inet6 proto ipv6-frag all to pass
fragmented packets (assuming you block by default).
You really, really want scrub fragment reassemble because otherwise
your firewall can be trivially bypassed, but you need one of the two
for fragmented packets to work.
I went with reassembly as it was easy to configure. However, is there
some place where the trivial bypassing is addressed in detail? I
would like to understand that.
Essentially this:
https://en.wikipedia.org/wiki/IP_fragmentation_attack#Fragmentation_for_evasion
The attacker breaks up the packet into fragments so that the real upper
layer header (e.g. TCP) is not in the first packet. All the firewall
sees is a fragmentation header and a few random bytes. Not enough to,
for example, get the port number. So the firewall allows it through
(‘pass log inet6 proto ipv6-frag’), and your policy to deny traffic
to port 22 has not been applied.
Best regards,
Kristof
_______________________________________________
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
