'Configuration for discarding specific fragments'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openbsd-pf
Subject:    Configuration for discarding specific fragments
From:       mark.latimer () gmail ! com
Date:       2013-08-25 11:27:19
Message-ID: b6259319-5842-4752-942f-859c3d4288df () googlegroups ! com
[Download RAW message or body]

Hello,

I am trying and so far failing to understand how to setup PF to drop some fragments \
and reassemble others.

So far as I can tell fragment reassembly is an all or nothing choice with the set \
reassemble option. If it is specified how to do this on a per rule basis I have \
missed this. 

I know that some packets (or packet fragments) should not pass through the filter and \
have no interest in reassembling them. For example

martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
              10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \
              0.0.0.0/8, 240.0.0.0/4 }"

block drop in quick on $ext_if from $martians to any

Other packet fragments I am very interested in reassembling and scrubbing before \
forwarding to servers. For example

match in all scrub (max-mss 1440 min-ttl 4 reassemble tcp)
pass proto tcp from any to $webserver port $webports 
pass proto tcp from any to $emailserver port $email 

So far I can either do the first part and drop the fragments with set reassembly off \
but then not reassemble traffic to the servers or have reassemble on and store \
fragments unnecessarily. Of course some fragments may have to be stored until enough \
information is available to see the TCP/UDP header to determine which rule the \
reassembled packet matches.

I am slightly concerned on a pathological or malicious case where PFs fragment store \
can be filled by traffic that should never be accepted and possibly from spoofed \
addresses. It seems similar to an attack reported against other systems. for example  \
http://www.checkpoint.com/defense/advisories/public/2004/cpai-2004-16.html


Is it possible to reassemble so fragments and not others or is the best approach to \
deploy a screening router/another PF to filter but not reassemble in addition to the \
PF reassembling and scrubbing?

Regard

Mark


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic