IPFW does not discard *any* IP fragments with OFF=1, only TCP ones.
This commit is contained in:
ru
parent
cc816837b4
commit
6667b54a02
@ -1052,12 +1052,14 @@ It is a good idea to be near the console when doing this.
|
|||||||
Don't forget the loopback interface.
|
Don't forget the loopback interface.
|
||||||
.El
|
.El
|
||||||
.Sh FINE POINTS
|
.Sh FINE POINTS
|
||||||
|
.Bl -bullet
|
||||||
|
.It
|
||||||
There is one kind of packet that the firewall will always
|
There is one kind of packet that the firewall will always
|
||||||
discard, that is an IP fragment with a fragment offset of
|
discard, that is a TCP packet's fragment with a fragment offset of
|
||||||
one.
|
one.
|
||||||
This is a valid packet, but it only has one use, to try
|
This is a valid packet, but it only has one use, to try
|
||||||
to circumvent firewalls.
|
to circumvent firewalls.
|
||||||
.Pp
|
.It
|
||||||
If you are logged in over a network, loading the
|
If you are logged in over a network, loading the
|
||||||
.Xr kld 4
|
.Xr kld 4
|
||||||
version of
|
version of
|
||||||
@ -1075,7 +1077,7 @@ ipfw flush
|
|||||||
.Ed
|
.Ed
|
||||||
.Pp
|
.Pp
|
||||||
in similar surroundings is also a bad idea.
|
in similar surroundings is also a bad idea.
|
||||||
.Pp
|
.It
|
||||||
The
|
The
|
||||||
.Nm
|
.Nm
|
||||||
filter list may not be modified if the system security level
|
filter list may not be modified if the system security level
|
||||||
@ -1085,6 +1087,7 @@ see
|
|||||||
.Xr init 8
|
.Xr init 8
|
||||||
for information on system security levels
|
for information on system security levels
|
||||||
.Pc .
|
.Pc .
|
||||||
|
.El
|
||||||
.Sh PACKET DIVERSION
|
.Sh PACKET DIVERSION
|
||||||
A
|
A
|
||||||
.Xr divert 4
|
.Xr divert 4
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user