|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Tim Walberg (twalberg
mindspring.com)Date: Fri Sep 14 2001 - 13:42:55 CDT
On 09/13/2001 23:13 -0600, Rob 'Feztaa' Park wrote:
>>
>> > > [drop fragments rule]
>> >
>> > This might not be a great idea, either; the only time fragmented
>> > packets are insecure is if your firewall doesn't reassemble them
>> > before inspecting them, and it should be straightforward to configure
>> > iptables to always reassemble packets before inspecting them.
>>
>> Does iptables have a configuration file that would do that? I'm not aware
>> of one. It doesn't mention any config files in the man page. I was just
>> skimming, but I also didn't see anything about fragmented packets at all,
>> except about using -f to drop them.
>>
>> So far, I haven't had any problems with this rule, it hasn't prevented me
>> from connecting to anybody or doing anything... so since it's not hurting
>> my connection, and it can't possibly make my machine less secure, I say
>> keep it as-is.
>>
IIRC, netfilter (iptables) does this automatically when you have connection tracking
enabled (modprobe ip_conntrack), which you also need for the stateful inspection
bit, so chances are you haven't even hit this rule...
tw
-- twalberg
-----BEGIN PGP SIGNATURE----- Version: PGP 6.5.1i
iQA/AwUBO6JPrcPlnI9tqyVmEQJXkQCeIm3O7OLYnVzFBKNpig6jzPfVcKYAoJ/y ouQkiKWq71qPvX6bd+IpGPAS =FGxh -----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]