diff options
-rw-r--r-- | sbin/ipfw/ipfw.8 | 17 | ||||
-rw-r--r-- | sys/netinet/ip_fw.c | 8 |
2 files changed, 20 insertions, 5 deletions
diff --git a/sbin/ipfw/ipfw.8 b/sbin/ipfw/ipfw.8 index 6966a74..aaaf9dc 100644 --- a/sbin/ipfw/ipfw.8 +++ b/sbin/ipfw/ipfw.8 @@ -1052,9 +1052,20 @@ Don't forget the loopback interface. .Sh FINE POINTS .Bl -bullet .It -There is one kind of packet that the firewall will always -discard, that is a TCP packet's fragment with a fragment offset of -one. +There are circumstances where fragmented datagrams are unconditionally +dropped. +TCP packets are dropped if they do not contain at least 20 bytes of +TCP header, UDP packets are dropped if they do not contain a full 8 +byte UDP header, and ICMP packets are dropped if they do not contain +4 bytes of ICMP header, enough to specify the ICMP type, code, and +checksum. +These packets are simply logged as +.Dq pullup failed +since there may not be enough good data in the packet to produce a +meaningful log entry. +.It +Another type of packet is unconditionally dropped, a TCP packet with a +fragment offset of one. This is a valid packet, but it only has one use, to try to circumvent firewalls. When logging is enabled, these packets are diff --git a/sys/netinet/ip_fw.c b/sys/netinet/ip_fw.c index 744e2da..e552e1d 100644 --- a/sys/netinet/ip_fw.c +++ b/sys/netinet/ip_fw.c @@ -1470,8 +1470,12 @@ check_ports: break; bogusfrag: - if (fw_verbose && ip != NULL) - ipfw_report(NULL, ip, offset, ip_len, rif, oif); + if (fw_verbose) { + if (ip != NULL) + ipfw_report(NULL, ip, offset, ip_len, rif, oif); + else + printf("pullup failed\n"); + } goto dropit; } |