Re: Big ICMP with don't Fragment bit

To: Thorsten Kruschel <tk@nmmn.com>
Cc: debian-security@lists.debian.org
Subject: Re: Big ICMP with don't Fragment bit
From: Tim Haynes <debian@stirfried.vegetable.org.uk>
Date: 11 Apr 2002 14:54:05 +0100
Message-id: <[🔎] 86662ytk76.fsf@potato.vegetable.org.uk>
Reply-to: debian-reply@stirfried.vegetable.org.uk
In-reply-to: <[🔎] 1018532505.1217.28.camel@thotinix>
References: <[🔎] 1018532505.1217.28.camel@thotinix>

Thorsten Kruschel <tk@nmmn.com> writes:

> has anybody an Idea how to create an ICMP Packet with size of 1500 and
> don't Fragment bit set? Or how to filter such Packets generally with
> IPChains?
> 
> I've the Problem, that a Maschine cancels the external connection some
> times. No entrys in Syslog or anywhere else. In my Intrusion Detection I
> see some maschines sending such Packets before the Maschine cancels the
> Connection to the external Net.

If it's causing you problems, such as breaking the PMTU discovery (the
typical one - what machines are giving you problems?), you shouldn't be
filtering ICMP echo-requests. 
In ipchains, that's the best you can do - open yourself up to pings.

In iptables, you can use the length module to filter by length within the
ICMP protocol:

 | zsh, potato  2:52PM piglet % iptables -m length -h | tail
[snip]
 | 
 | length v1.2.5 options:
 | [!] --length length[:length]    Match packet length against value or range

~Tim
-- 
<http://spodzone.org.uk/>

-- 
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

References:
- Big ICMP with don't Fragment bit
  - From: Thorsten Kruschel <tk@nmmn.com>

Prev by Date: Big ICMP with don't Fragment bit
Next by Date: cups security
Previous by thread: Big ICMP with don't Fragment bit
Next by thread: cups security
Index(es):
- Date
- Thread