with "add pass udp" one creates a rule that permits initial fragments of a
datagram, or unfragmented datagram, to pass. if this doesn't happen, then no
subsequent fragment will matter even if allowed through -- because there will
be no endpoint state to allow those fragments to be reassembled. s
Van: mike tancsa
Datum: donderdag, 29 augustus 2024 20:51
Aan: FreeBSD Net
Onderwerp: dropping udp fragments with ipfw
I was working on some firewall rules to drop large UDP fragment attacks and
noticed there is no easy way to drop fragments based on port ? e.g. if someone
sends a UDP packet
On 8/29/2024 3:45 PM, Olivier Cochard-Labbé wrote:
On Thu, Aug 29, 2024 at 8:52 PM mike tancsa wrote:
But this would kill all UDP fragments. If the host has some other
UDP
application that needs to deal with fragmented packets, is there a
way
to get around that and only dr
On Thu, Aug 29, 2024 at 8:52 PM mike tancsa wrote:
> But this would kill all UDP fragments. If the host has some other UDP
> application that needs to deal with fragmented packets, is there a way
> to get around that and only drop packets with a certain port in the
> first fragment ?
>
>
When a
