On 8/29/2024 3:45 PM, Olivier Cochard-Labbé wrote:
On Thu, Aug 29, 2024 at 8:52 PM mike tancsa <m...@sentex.net> wrote:
But this would kill all UDP fragments. If the host has some other
UDP
application that needs to deal with fragmented packets, is there a
way
to get around that and only drop packets with a certain port in the
first fragment ?
When a packet is fragmented, only the IP header (not the UDP header
that includes the port number) is copied for all subsequent fragmented
packets.
To fix this behavior, you can instruct the firewall to reassemble the
packet before performing UDP/TCP port filtering.
Refer to the ipfw(4) man page on the "reass" keyword, which provides
the following example:
ipfw add reass all from any to any in
I hope this helps!
Thanks very much, it does! Under DDoS attack, how "expensive" would
this be I noticed there are some default queue limits that probably
would be exhausted fairly quickly. I might look instead for this use
case to use the chelsio NIC rules (via cxgbetool) and just drop with
something like this
cxgbetool t5nex0 filter 10 sip 0.0.0.0/0 sport 53 dip 192.168.1.1/32
proto 17 action drop
cxgbetool t5nex0 filter 11 sip 0.0.0.0/0 dip 192.168.1.1/32 proto 17
frag 1 action drop
to protect the customer downstream and then get rid of rule 11 once the
pps rate drops back to normal.
---Mike
