[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Netfilter & Fragments

On Fri, Nov 08, 2002 at 02:40:48PM -0500, Jeff Bonner wrote:
> The 4th installment in my continuing firewall quest...
> The netfilter docs state:
>  "If you are doing connection tracking or NAT, then all fragments will
>   get merged back together before they reach the packet filtering code,
>   so you need never worry about fragments."
> So does this apply only to those machines NAT'd *behind* the firewall,
> or does it also include the firewall box itself?
> FWIW, here's the code I use to detect/toss any fragments:
>  # ICMP Fragments
>    $IPT -A INPUT -p icmp -i $EXT --fragment -j LOG -m limit \
>    --limit 1/s --log-level info --log-prefix "**ICMP FRAG** "
>    $IPT -A INPUT  -p icmp -i $EXT --fragment -j DROP
>  # TCP Fragments
>    $IPT -A INPUT -i $EXT -f -j LOG -m limit --limit 1/s \
>    --log-level info  --log-prefix "**TCP FRAG** "
>    $IPT -A INPUT -i $EXT -f -j DROP
> I'm not sure if UDP can be fragmented, but if so, I think this second
> ruleset would detect them anyway.

virtually anything which runs on top of IP may be fragmented.. fragmentation
is done at the ip layer. Expl on UDP fragments: nfs


> TIA,
> Jeff Bonner


-> Jean-Francois Dive
--> jef@linuxbe.org

  There is no such thing as randomness.  Only order of infinite
  complexity.  - _The Holographic Universe_, Michael Talbot

Attachment: pgpFj3xTljFJO.pgp
Description: PGP signature

Reply to: