Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: ipfilter blocking ip fragments
Operating Systems Solaris ipfilter blocking ip fragments Post 302479956 by DGPickett on Monday 13th of December 2010 11:40:25 AM
Old 12-13-2010
Well, as I recall, IP fragments have no tcp or udp header, just the 20 byte ip header that says it is a UDP or TCP fragment, so no port number to filter on. Maybe you uncovered a bug. Your packet sizes bear this out.

IP Fragmentation is not a very robust way to deal with big data, and many apps manage the packet size within the MTU to avoid it. This may be why such a defect was not previously found. Either that, or some timer on how long to wait for reassembly in the filtering process is set too low. Unlike tcp segmentation, a lost packet cost you 100% of the application block, not on average 50% max., and you still have the 65K limit waiting for you if you do not have an app level fragmenter that integrates with smart retransmission.
This User Gave Thanks to DGPickett For This Post:
ilikecows
 

10 More Discussions You Might Find Interesting

1. UNIX for Advanced & Expert Users

fragments in Solaris 8

When discussing inodes and data blocks, I know Solaris creates these data blocks with a total size of 8192b, divided into eight 1024b "fragments." It stores data in "contiguous" fragments and solaris doesn't allow a file to use portions of two different fragments. If the file size permits, then the... (4 Replies)
Discussion started by: manderson19
4 Replies

2. HP-UX

ipfilter hpux11.11

how can I create a rule that will allow my machine to FTP to itself, but not allow other machines to FTP to it.. I know this sounds weird but this how they want it so they can test some application functionality that uses ftp. (2 Replies)
Discussion started by: csaunders
2 Replies

3. Solaris

ipfilter solaris express

Hello, | am trying to setup ipfilter on solaris express snv_91 but I don't seem to have the following file available. /etc/ipf/pfil.ap Is this an older way of configuring the interface?, I have all the packages installed. Thanks, (1 Reply)
Discussion started by: Actuator
1 Replies

4. Cybersecurity

questions about ipfilter

Dears, i am a new user for using ipfilter in solaris 10 and i have some question about this: by using ipfilter for example 1- i want specific MAC address able to access hotmail only 2- also i want to make 10MB for this MAC address is a max download per day 3- i am asking about using MAC... (0 Replies)
Discussion started by: coxmanchester
0 Replies

5. Solaris

NAT IPFilter

Hi everybody, I'm running on Solaris 10 X86 (update 1009). I would like to make NAT's rule. I explain you. On Solaris, I configure the principal interface e1000g0 with IP : 192.168.0.33 I created the first logical interface like that : ifconfig e1000g0 addif 192.168.0.40 netmask... (0 Replies)
Discussion started by: aureliensm
0 Replies

6. Solaris

Ipfilter question

Howdy My goal is to block locally the applications on a Solaris 10 server to access specific port on a remote machine. All attempts to access the <remote ip>:<remote port> should be rejected with ICMP port unreachable or with TCP RST. I tried with the following: block... (2 Replies)
Discussion started by: ralome
2 Replies

7. Shell Programming and Scripting

Extract fragments from file

I have a .xml file that looks something like this : <measInfo> ......... string1 ......... </measInfo> <measInfo> ...... string2 ........ </measInfo> I want to extract only the 'chunk of file' from '<measInfo>' to '</measInfo>' containing string1 (or a certain string that I... (13 Replies)
Discussion started by: black_fender
13 Replies

8. Programming

Which are blocking and non-blocking api's in sockets in C ?

among the below socket programming api's, please let me know which are blocking and non-blocking. socket accept bind listen write read close (2 Replies)
Discussion started by: VSSajjan
2 Replies

9. Solaris

A little help with ipfilter on Omnios

I'm on OmniOS. I have set a linux zone(lx zone) wich use 10.2.0.0/24 network. The other network,connected to internet is 192.168.0.0/24 The network interface of 10.2.0.0/24 is bge1 The network interface of 192.168.0.0/24 is bge0 I know is more easy to use the same network but i prefer to... (1 Reply)
Discussion started by: Linusolaradm1
1 Replies

10. Shell Programming and Scripting

Why the results of these two code fragments are not the same?

Code 1: #!/bin/sh for arg1 in "$@" do counter=0 for arg2 in "$@" do if && then counter=$((counter+1)) continue fi (8 Replies)
Discussion started by: johnprogrammer
8 Replies

LEARN ABOUT OSX

pf.os

PF.OS(5)						      BSD File Formats Manual							  PF.OS(5)

NAME

     pf.os -- format of the operating system fingerprints file

DESCRIPTION

     The packet filter firewall and the tcpdump(1) program can both fingerprint the operating system of hosts that originate an IPv4 TCP connec-
     tion.  The file consists of newline-separated records, one per fingerprint, containing nine colon (':') separated fields.	These fields are
     as follows:

	   window	The TCP window size.
	   TTL		The IP time to live.
	   df		The presence of the IPv4 don't fragment bit.
	   packet size	The size of the initial TCP packet.
	   TCP options	An ordered list of the TCP options.
	   class	The class of operating system.
	   version	The version of the operating system.
	   subtype	The subtype of patchlevel of the operating system.
	   description	The overall textual description of the operating system, version and subtype.

     The window field corresponds to the th->th_win field in the TCP header and is the source host's advertised TCP window size.  It may be
     between zero and 65,535 inclusive.  The window size may be given as a multiple of a constant by prepending the size with a percent sign '%'
     and the value will be used as a modulus.  Three special values may be used for the window size:

	   *	An asterisk will wildcard the value so any window size will match.
	   S	Allow any window size which is a multiple of the maximum segment size (MSS).
	   T	Allow any window size which is a multiple of the maximum transmission unit (MTU).

     The ttl value is the initial time to live in the IP header.  The fingerprint code will account for the volatility of the packet's TTL as it
     traverses a network.

     The df bit corresponds to the Don't Fragment bit in an IPv4 header.  It tells intermediate routers not to fragment the packet and is used for
     path MTU discovery.  It may be either a zero or a one.

     The packet size is the literal size of the full IP packet and is a function of all of the IP and TCP options.

     The TCP options field is an ordered list of the individual TCP options that appear in the SYN packet.  Each option is described by a single
     character separated by a comma and certain ones may include a value.  The options are:

	   Mnnn 	maximum segment size (MSS) option.  The value is the maximum packet size of the network link which may include the '%'
			modulus or match all MSSes with the '*' value.
	   N		the NOP option (NO Operation).
	   T[0] 	the timestamp option.  Certain operating systems always start with a zero timestamp in which case a zero value is added to
			the option; otherwise no value is appended.
	   S		the Selective ACKnowledgement OK (SACKOK) option.
	   Wnnn 	window scaling option.	The value is the size of the window scaling which may include the '%' modulus or match all window
			scalings with the '*' value.

     No TCP options in the fingerprint may be given with a single dot '.'.

     An example of OpenBSD's TCP options are:

	   M*,N,N,S,N,W0,N,N,T

     The first option M* is the MSS option and will match all values.  The second and third options N will match two NOPs.  The fourth option S
     will match the SACKOK option.  The fifth N will match another NOP.  The sixth W0 will match a window scaling option with a zero scaling size.
     The seventh and eighth N options will match two NOPs.  And the ninth and final option T will match the timestamp option with any time value.

     The TCP options in a fingerprint will only match packets with the exact same TCP options in the same order.

     The class field is the class, genre or vendor of the operating system.

     The version is the version of the operating system.  It is used to distinguish between different fingerprints of operating systems of the
     same class but different versions.

     The subtype is the subtype or patch level of the operating system version.  It is used to distinguish between different fingerprints of oper-
     ating systems of the same class and same version but slightly different patches or tweaking.

     The description is a general description of the operating system, its version, patchlevel and any further useful details.

EXAMPLES

     The fingerprint of a plain OpenBSD 3.3 host is:

       16384:64:1:64:M*,N,N,S,N,W0,N,N,T:OpenBSD:3.3::OpenBSD 3.3

     The fingerprint of an OpenBSD 3.3 host behind a PF scrubbing firewall with a no-df rule would be:

       16384:64:0:64:M*,N,N,S,N,W0,N,N,T:OpenBSD:3.3:!df:OpenBSD 3.3 scrub no-df

     An absolutely braindead embedded operating system fingerprint could be:

       65535:255:0:40:.:DUMMY:1.1:p3:Dummy embedded OS v1.1p3

     The tcpdump(1) output of

       # tcpdump -s128 -c1 -nv 'tcp[13] == 2'
       03:13:48.118526 10.0.0.1.3377 > 10.0.0.2.80: S [tcp sum ok] 
	   534596083:534596083(0) win 57344 <mss 1460> (DF) [tos 0x10] 
	   (ttl 64, id 11315, len 44)

     almost translates into the following fingerprint

       57344:64:1:44:M1460:  exampleOS:1.0::exampleOS 1.0

SEE ALSO

     pf.conf(5), pfctl(8), tcpdump(1)

BSD
								   May 31, 2007 							       BSD
All times are GMT -4. The time now is 12:37 PM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy