[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Netfilter & Fragments

The 4th installment in my continuing firewall quest...

The netfilter docs state:

 "If you are doing connection tracking or NAT, then all fragments will
  get merged back together before they reach the packet filtering code,
  so you need never worry about fragments."

So does this apply only to those machines NAT'd *behind* the firewall,
or does it also include the firewall box itself?

FWIW, here's the code I use to detect/toss any fragments:

 # ICMP Fragments
   $IPT -A INPUT -p icmp -i $EXT --fragment -j LOG -m limit \
   --limit 1/s --log-level info --log-prefix "**ICMP FRAG** "
   $IPT -A INPUT  -p icmp -i $EXT --fragment -j DROP

 # TCP Fragments
   $IPT -A INPUT -i $EXT -f -j LOG -m limit --limit 1/s \
   --log-level info  --log-prefix "**TCP FRAG** "
   $IPT -A INPUT -i $EXT -f -j DROP

I'm not sure if UDP can be fragmented, but if so, I think this second
ruleset would detect them anyway.


Jeff Bonner

Attachment: pgpKW_DRZhCF9.pgp
Description: PGP signature

Reply to: