• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Packet size filtering

Scheduled Pinned Locked Moved Firewalling
9 Posts 2 Posters 3.9k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • S
    stelko
    last edited by Dec 22, 2012, 8:30 AM

    hello!

    is it possible to filter packets for its size under pfSense?

    e.g: i had a linux box before pfSense that i was using for firewalling, and it has a certain iptable rule as follow:

    Code:

    $ iptables -A OUTPUT -p tcp -m length --length 1024: --dport 1024: -j REJECT
    $ iptables -A OUTPUT -p udp -m length --length 1024: --dport 1024: -j REJECT
    

    every packet sent on tcp/udp, from port 1024+ with 1024+ bytes is rejected.

    anyone have an idea how i could reproduce this behaviour under pfSense? i would really appreciate if it's possible Cheesy

    Sorry, I copied this topic but original is older :)

    1 Reply Last reply Reply Quote 0
    • C
      cmb
      last edited by Dec 22, 2012, 8:41 AM

      PF doesn't have the ability to match on packet size, so no. That's kind of a weird thing to want in a firewall, generally you want a type of traffic either permitted or denied, the size can and will vary. That's also only possible with UDP traffic, the TCP SYN that opens a connection will never be that big (if it were, it would be invalid and PF would drop it), and subsequent packets are passed by the state table, the ruleset is never evaluated again on that session.

      What are you aiming to accomplish?

      1 Reply Last reply Reply Quote 0
      • S
        stelko
        last edited by Dec 22, 2012, 9:03 AM

        I have spoofed udp attacks with packet size 1 to opened port (100 K packets/s). And looking for method to filter them

        1 Reply Last reply Reply Quote 0
        • C
          cmb
          last edited by Dec 22, 2012, 9:13 AM

          Yeah that would be useful in that case. You can match on packet size with ipfw's iplen. You'd have to kldload ipfw and manually configure its rules. It can run in conjunction with PF (and does by design with captive portal for instance), you could do an ipfw rule to block UDP matching the desired length, and allow everything else through ipfw. The GUI rules would still apply via PF.

          1 Reply Last reply Reply Quote 0
          • S
            stelko
            last edited by Dec 22, 2012, 9:28 AM

            I will try to find manual page for this, and I will paste result of loading ipfw here. Do you have info, how packets hits ipfw and pf rules? Which one is first?

            1 Reply Last reply Reply Quote 0
            • S
              stelko
              last edited by Dec 22, 2012, 1:54 PM

              I have troubles to make ipfw to be first firewalling program instead pf.

              
              kldload ipfw
              sysctl net.inet.ip.pfil.inbound="ipfw,pf"
              
              

              loading ipfw test rules, but traffic still hitting first pf.

              Here is my ipfw test rules:

              
              00100 deny udp from SRC_IP to any
              00200 allow icmp from SRC_IP to any
              65535 allow ip from any to any
              
              

              By default icmp is blocked by pf.

              1 Reply Last reply Reply Quote 0
              • C
                cmb
                last edited by Dec 23, 2012, 12:50 AM

                The ordering doesn't really matter, they're still going to be processed by both. Those sysctls on pfil control the ordering.

                1 Reply Last reply Reply Quote 0
                • S
                  stelko
                  last edited by Dec 23, 2012, 9:06 PM

                  Did you mean, for example when packet hit pf allow rule, it continues to ipfw rule?

                  1 Reply Last reply Reply Quote 0
                  • C
                    cmb
                    last edited by Dec 24, 2012, 1:00 AM

                    @stelko:

                    Did you mean, for example when packet hit pf allow rule, it continues to ipfw rule?

                    Yes.

                    1 Reply Last reply Reply Quote 0
                    9 out of 9
                    • First post
                      9/9
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                      This community forum collects and processes your personal information.
                      consent.not_received