Mailinglist Archive: opensuse-security (192 mails)

< Previous Next >
Re: [suse-security] IPChains
  • From: Steffen Dettmer <steffen@xxxxxxx>
  • Date: Tue, 30 May 2000 22:59:53 +0200
  • Message-id: <20000530225953.E9974@xxxxxxxxx>
* Gerhard Sittig wrote on Mon, May 29, 2000 at 19:12 +0200:
> On Mon, May 29, 2000 at 12:36 +0200, Steffen Dettmer wrote:
> > * Gerhard Sittig wrote on Sun, May 28, 2000 at 22:24 +0200:
> > [at this ident level]
> I wasn't very clear it seems. I meant: When path MTU discovery
> (and obeying the gotten values, of course:) is a common
> technique, fragmentation shouldn't have to happen at all.

I cannot imagine that MTU discovery works through masquerading
routers, since the ICMP would never reach the sender. Correct me
if I'm wrong.

> So I
> still feel that dropping fragmented packets in general to be a
> valid option.

Useing IPSec FreeS/WAN you would drop most packets, since they
use internally a MTU around 16K IIRC, and a "re-fragmentation"
occurs [AFAIK].

> cycles and memory consumption) to me. Unless I got something
> wrong (confused some layers?) in which case I'm sure you tell me
> I did.

Well, maybe there're some (broken) implemtations without MTU
discovery or with a buggy one. Maybe a Palm IIIx (don't know
anything about it's IP stack, but it's a simple one)...

> > it's not so quite easy to drop too short packets I think.
> > Telnet may send packets with just one byte date for instance.
> By too short a packet I thought of "not having enough room to
> even contain a full IP header and whatever is the header of the
> layer above (TCP/UDP for ports, ICMP for types, etc). This
> doesn't touch the length of the payload for the application.

Well, so it would be simply malformed you mean? Isn't the linux
kernel dropping such packets always?



Dieses Schreiben wurde maschinell erstellt,
es trägt daher weder Unterschrift noch Siegel.

< Previous Next >