Mailinglist Archive: opensuse-security (192 mails)

< Previous Next >
Re: [suse-security] IPChains
  • From: Steffen Dettmer <steffen@xxxxxxx>
  • Date: Tue, 30 May 2000 22:59:53 +0200
  • Message-id: <20000530225953.E9974@xxxxxxxxx>
* Gerhard Sittig wrote on Mon, May 29, 2000 at 19:12 +0200:
> On Mon, May 29, 2000 at 12:36 +0200, Steffen Dettmer wrote:
> > * Gerhard Sittig wrote on Sun, May 28, 2000 at 22:24 +0200:
> > [at this ident level]
>
> I wasn't very clear it seems. I meant: When path MTU discovery
> (and obeying the gotten values, of course:) is a common
> technique, fragmentation shouldn't have to happen at all.

I cannot imagine that MTU discovery works through masquerading
routers, since the ICMP would never reach the sender. Correct me
if I'm wrong.

> So I
> still feel that dropping fragmented packets in general to be a
> valid option.

Useing IPSec FreeS/WAN you would drop most packets, since they
use internally a MTU around 16K IIRC, and a "re-fragmentation"
occurs [AFAIK].

> cycles and memory consumption) to me. Unless I got something
> wrong (confused some layers?) in which case I'm sure you tell me
> I did.

Well, maybe there're some (broken) implemtations without MTU
discovery or with a buggy one. Maybe a Palm IIIx (don't know
anything about it's IP stack, but it's a simple one)...

> > it's not so quite easy to drop too short packets I think.
> > Telnet may send packets with just one byte date for instance.
>
> By too short a packet I thought of "not having enough room to
> even contain a full IP header and whatever is the header of the
> layer above (TCP/UDP for ports, ICMP for types, etc). This
> doesn't touch the length of the payload for the application.

Well, so it would be simply malformed you mean? Isn't the linux
kernel dropping such packets always?

oki,

Steffen

--
Dieses Schreiben wurde maschinell erstellt,
es trägt daher weder Unterschrift noch Siegel.

< Previous Next >