The 4th installment in my continuing firewall quest... The netfilter docs state: "If you are doing connection tracking or NAT, then all fragments will get merged back together before they reach the packet filtering code, so you need never worry about fragments." So does this apply only to those machines NAT'd *behind* the firewall, or does it also include the firewall box itself? FWIW, here's the code I use to detect/toss any fragments: # ICMP Fragments $IPT -A INPUT -p icmp -i $EXT --fragment -j LOG -m limit \ --limit 1/s --log-level info --log-prefix "**ICMP FRAG** " $IPT -A INPUT -p icmp -i $EXT --fragment -j DROP # TCP Fragments $IPT -A INPUT -i $EXT -f -j LOG -m limit --limit 1/s \ --log-level info --log-prefix "**TCP FRAG** " $IPT -A INPUT -i $EXT -f -j DROP I'm not sure if UDP can be fragmented, but if so, I think this second ruleset would detect them anyway. TIA, Jeff Bonner
Attachment:
pgpKW_DRZhCF9.pgp
Description: PGP signature