On Fri, Nov 08, 2002 at 02:40:48PM -0500, Jeff Bonner wrote: > The 4th installment in my continuing firewall quest... > > The netfilter docs state: > > "If you are doing connection tracking or NAT, then all fragments will > get merged back together before they reach the packet filtering code, > so you need never worry about fragments." > > So does this apply only to those machines NAT'd *behind* the firewall, > or does it also include the firewall box itself? > > FWIW, here's the code I use to detect/toss any fragments: > > # ICMP Fragments > $IPT -A INPUT -p icmp -i $EXT --fragment -j LOG -m limit \ > --limit 1/s --log-level info --log-prefix "**ICMP FRAG** " > $IPT -A INPUT -p icmp -i $EXT --fragment -j DROP > > # TCP Fragments > $IPT -A INPUT -i $EXT -f -j LOG -m limit --limit 1/s \ > --log-level info --log-prefix "**TCP FRAG** " > $IPT -A INPUT -i $EXT -f -j DROP > > I'm not sure if UDP can be fragmented, but if so, I think this second > ruleset would detect them anyway. virtually anything which runs on top of IP may be fragmented.. fragmentation is done at the ip layer. Expl on UDP fragments: nfs JeF > > TIA, > > Jeff Bonner -- -> Jean-Francois Dive --> jef@linuxbe.org There is no such thing as randomness. Only order of infinite complexity. - _The Holographic Universe_, Michael Talbot
Attachment:
pgpFj3xTljFJO.pgp
Description: PGP signature