Re: unclean match

To: Debian Firewall List <debian-firewall@lists.debian.org>
Subject: Re: unclean match
From: Michael Kreilmeier <michi@kreilmeier.at>
Date: 20 Aug 2002 14:46:25 +0200
Message-id: <[🔎] 1029847585.634.21.camel@z618>
In-reply-to: <[🔎] 20020820123440.GA12667@lina.inka.de>
References: <[🔎] 1029846010.633.11.camel@z618> <[🔎] 20020820123440.GA12667@lina.inka.de>

> it matches unclean packages. those are icmp packets with illegal types,
> those are tcp packets with illegal flag combinations, it catches some common
> udp length errors. it also checks for icmp error messages that enough
> payload of the original packets was included to be able to verify them. You
> best read the source, then you have the definitive answer.
> 
> The idea behind this is mainly for forwarding, to catch packets which would
> be ignored by good host stacks anyway, and could cause harm on bad ip
> implementations.
> 
well, that's kind of what I thought.
Does this module make it unnecessary to filter out any bad combination
of tcp-flags tha classic way?

Reply to:

Follow-Ups:
- Re: unclean match
  - From: Guillaume Morin <guillaume@morinfr.org>
- Re: unclean match
  - From: Bernd Eckenfels <lists@lina.inka.de>

References:
- unclean match
  - From: Michael Kreilmeier <michi@kreilmeier.at>
- Re: unclean match
  - From: Bernd Eckenfels <lists@lina.inka.de>

Prev by Date: Re: unclean match
Next by Date: Re: unclean match
Previous by thread: Re: unclean match
Next by thread: Re: unclean match
Index(es):
- Date
- Thread