I was working on some firewall rules to drop large UDP fragment attacks
and noticed there is no easy way to drop fragments based on port ? e.g.
if someone sends a UDP packet of 1400 bytes, I can drop it with
TARGET=192.168.1.1
ipfw add 5 deny log udp from any 53 to $TARGET
But if that packet is say 2000 bytes and is fragmented, the fragment
passes through. I have to add a subsequent rule
ipfw add 10 deny log udp from any to $TARGET fragment
But this would kill all UDP fragments. If the host has some other UDP
application that needs to deal with fragmented packets, is there a way
to get around that and only drop packets with a certain port in the
first fragment ?
---Mike