Packet size filtering



  • hello!

    is it possible to filter packets for its size under pfSense?

    e.g: i had a linux box before pfSense that i was using for firewalling, and it has a certain iptable rule as follow:

    Code:

    $ iptables -A OUTPUT -p tcp -m length --length 1024: --dport 1024: -j REJECT
    $ iptables -A OUTPUT -p udp -m length --length 1024: --dport 1024: -j REJECT
    

    every packet sent on tcp/udp, from port 1024+ with 1024+ bytes is rejected.

    anyone have an idea how i could reproduce this behaviour under pfSense? i would really appreciate if it's possible Cheesy

    Sorry, I copied this topic but original is older :)



  • PF doesn't have the ability to match on packet size, so no. That's kind of a weird thing to want in a firewall, generally you want a type of traffic either permitted or denied, the size can and will vary. That's also only possible with UDP traffic, the TCP SYN that opens a connection will never be that big (if it were, it would be invalid and PF would drop it), and subsequent packets are passed by the state table, the ruleset is never evaluated again on that session.

    What are you aiming to accomplish?



  • I have spoofed udp attacks with packet size 1 to opened port (100 K packets/s). And looking for method to filter them



  • Yeah that would be useful in that case. You can match on packet size with ipfw's iplen. You'd have to kldload ipfw and manually configure its rules. It can run in conjunction with PF (and does by design with captive portal for instance), you could do an ipfw rule to block UDP matching the desired length, and allow everything else through ipfw. The GUI rules would still apply via PF.



  • I will try to find manual page for this, and I will paste result of loading ipfw here. Do you have info, how packets hits ipfw and pf rules? Which one is first?



  • I have troubles to make ipfw to be first firewalling program instead pf.

    
    kldload ipfw
    sysctl net.inet.ip.pfil.inbound="ipfw,pf"
    
    

    loading ipfw test rules, but traffic still hitting first pf.

    Here is my ipfw test rules:

    
    00100 deny udp from SRC_IP to any
    00200 allow icmp from SRC_IP to any
    65535 allow ip from any to any
    
    

    By default icmp is blocked by pf.



  • The ordering doesn't really matter, they're still going to be processed by both. Those sysctls on pfil control the ordering.



  • Did you mean, for example when packet hit pf allow rule, it continues to ipfw rule?



  • @stelko:

    Did you mean, for example when packet hit pf allow rule, it continues to ipfw rule?

    Yes.


Locked