I was working on some firewall rules to drop large UDP fragment attacks and noticed there is no easy way to drop fragments based on port ? e.g. if someone sends a UDP packet of 1400 bytes, I can drop it with

TARGET=192.168.1.1

ipfw add 5 deny log udp from any 53 to $TARGET

But if that packet is say 2000 bytes and is fragmented, the fragment passes through. I have to add a subsequent rule

ipfw add 10 deny log udp from any to $TARGET fragment

But this would kill all UDP fragments.  If the host has some other UDP application that needs to deal with fragmented packets, is there a way to get around that and only drop packets with a certain port in the first fragment ?

    ---Mike


Reply via email to