Hello All,
I'm using IP Filter 4.1.24 and pfil 2.1.13 on Solaris 9, SPARC V440. I have problems about fragmented UDP packets.
My IPF rules are like ;
pass out all
block in quick on ce6 proto udp from any to any port = 5050 head 10
pass in log quick on ce6 proto udp from <ClientIP>/32 to any port = 5050 with
frag-body
10 pass in all
# Group 10
pass in log quick on ce6 proto udp from <ClientIP>/32 to any port = 5050 keep
state keep frags group 10
( just tested grouping, if fragmentation will work correctly, i know there's no
connection )
When I try to send a large UDP Packet ( SIP ) from <ClientIP> to server - that
has IPF enabled on it -, i get ;
Sep 7 10:38:44 <ServerHostname> ipmon[1116]: [ID 702911 local0.notice] 10:38:44.359296 ce6
@10:1 p <ClientIP>,5060 -> <ServerIP>,5050 PR udp len 20 1396 K-S K-F IN
Sep 7 10:38:44 <ServerHostname> ipmon[1116]: [ID 702911 local0.warning] 10:38:44.359363 ce6
@-1:-1 b <ClientIP> -> <ServerIP> PR udp len 20 (395) (frag 55828:[EMAIL PROTECTED])
K-S K-F IN
from firewall logs. Also, SIP packet is not transferred to the daemon that listens 5050. port on server.
I read IPF has some problems about UDP fragmentation, if the last fragment's
size is multiple of 8. I tried that bug on IP Filter 4.1.16 ( and 4.1.17 ), and
generated quickly. But in IP Filter 4.1.24 even last fragment of packet is
multiple of 8 or not, my fragmented UDP packet still can't pass through ipf.
I can see the packet is received with snoop ;
<ClientIP> -> <ServerIP> UDP IP fragment ID=51038 Offset=0 MF=1 TOS=0x0
TTL=64
<ClientIP> -> <ServerIP> UDP IP fragment ID=51038 Offset=1376 MF=0 TOS=0x0
TTL=64
When I tried to remove "keep state" flag from IPF rules related on, SIP packet
transferred without any problems, but of course without keep state flag there may be much
more problems ( at least a FIN scan can be made to server ).
Is this a bug in IPF ? or am doing something wrong ?
Thanks for your help,
--
Emre ERKUNT
