[ipv6hackers] ip6tables and fragmentation

SamLT samuel.lethiec at intelunix.fr
Mon Feb 4 01:34:14 CET 2013 

On Sun, Feb 03, 2013 at 10:57:44PM +0100, Guillermo Lafuente Tejero wrote:
> 
> Hi Fernando,
> 
> many thanks for your reply.
> 
> 
> > If you're doing stateless firewalling, you need to include rules that
> > pass non-first fragments. Then security relies on:
> > 
> > * The firewall's ability to properly filter first-fragments (i.e.,
> > fragments with a Fragmet Offset of 0), *and*,
> > * Whether the hosts "protected" by the firewall implement RFC 5722
> > 
> > 
> > If you don't want/like this, you should do stateful filtering.
> > 
> 
> 
> I'm using stateful filtering already. So for example, in the case of ICMPv6 echo request / reply I have the following rules:
> 
> -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 15/sec -j ACCEPT
> -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 15/sec -j ACCEPT
> 
> I have later on another rule to make the firewall stateful:
> 
> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

2 minor things:
   -> any reason(there could be!) not have this rule as the first
   one(at least before the two other ones above)?

   -> it's totally ok if you're still using the state module, but it has
   been obsoleted with the far more powerfull conntrack one, to start
   using it, you can replace this rule with:

   -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT


> 
> Am I missing something?
> 
> > 
> > > Now the
> > > application layer (or whatever layer is in charge of reassembling the
> > > packet) will be waiting for the next fragment,
> > 
> > The IPv6 layer ;-)
> 
> 
> Yeah... obviously, blonde moment...
> 
> 
> 
> > 
> > > Is there any way of making ip6tables aware of the fragments? 
> > 
> > You could include a last rule that passes packets that have the
> > Fragmentation Header "protocol type"...
> > 
> 
> Wouldn't be this insecure as you would be blindly accepting any fragment blindly?
> Any idea of how to implement such a rule in ip6tables?
> 
> Thanks!
> 
> 
>  		 	   		  
> _______________________________________________
> Ipv6hackers mailing list
> Ipv6hackers at lists.si6networks.com
> http://lists.si6networks.com/listinfo/ipv6hackers

More information about the Ipv6hackers mailing list