[ipv6hackers] ip6tables and fragmentation
Guillermo Lafuente Tejero
guiye1984 at hotmail.com
Sun Feb 3 22:57:44 CET 2013
many thanks for your reply.
> If you're doing stateless firewalling, you need to include rules that
> pass non-first fragments. Then security relies on:
> * The firewall's ability to properly filter first-fragments (i.e.,
> fragments with a Fragmet Offset of 0), *and*,
> * Whether the hosts "protected" by the firewall implement RFC 5722
> If you don't want/like this, you should do stateful filtering.
I'm using stateful filtering already. So for example, in the case of ICMPv6 echo request / reply I have the following rules:
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 15/sec -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 15/sec -j ACCEPT
I have later on another rule to make the firewall stateful:
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
Am I missing something?
> > Now the
> > application layer (or whatever layer is in charge of reassembling the
> > packet) will be waiting for the next fragment,
> The IPv6 layer ;-)
Yeah... obviously, blonde moment...
> > Is there any way of making ip6tables aware of the fragments?
> You could include a last rule that passes packets that have the
> Fragmentation Header "protocol type"...
Wouldn't be this insecure as you would be blindly accepting any fragment blindly?
Any idea of how to implement such a rule in ip6tables?
More information about the Ipv6hackers