[ipv6hackers] ip6tables and fragmentation
Fernando Gont
fgont at si6networks.com
Thu Jan 24 02:06:10 CET 2013
Hola, Guillermo,
On 01/23/2013 08:29 AM, Guillermo Lafuente Tejero wrote:
> The problem that I have if that if I send an ICMPv6 Echo Request
> large enough to force fragmentation the result is that the ping
> fails. What is actually happening (or at least is what I have
> deduced) is that the first fragment reaches the host, ip6tables
> inspect the packet and accepts it as there is a rule allowing ICMPv6
> Echo Requests. Then the fragment comes, and ip6tables is not able to
> match the fragment to any rule, so the packet is discarded.
If you're doing stateless firewalling, you need to include rules that
pass non-first fragments. Then security relies on:
* The firewall's ability to properly filter first-fragments (i.e.,
fragments with a Fragmet Offset of 0), *and*,
* Whether the hosts "protected" by the firewall implement RFC 5722
If you don't want/like this, you should do stateful filtering.
> Now the
> application layer (or whatever layer is in charge of reassembling the
> packet) will be waiting for the next fragment,
The IPv6 layer ;-)
> Is there any way of making ip6tables aware of the fragments?
You could include a last rule that passes packets that have the
Fragmentation Header "protocol type"...
Thanks,
--
Fernando Gont
SI6 Networks
e-mail: fgont at si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
More information about the Ipv6hackers
mailing list