Mailinglist Archive: opensuse-security (192 mails)

< Previous Next >
Re: [suse-security] IPChains
  • From: Gerhard Sittig <Gerhard.Sittig@xxxxxxx>
  • Date: Mon, 29 May 2000 19:12:55 +0200
  • Message-id: <20000529191255.U2305@xxxxxxxxxxxxx>
On Mon, May 29, 2000 at 12:36 +0200, Steffen Dettmer wrote:
> * Gerhard Sittig wrote on Sun, May 28, 2000 at 22:24 +0200:
> > Trying to cut corners often turns out to fail sooner
> > or later. And by employing path MTU discovery fragmentation
> > should even become uncommon and avoidable.
> Sorry, couldn't get this. You mean to prohibite MTU discovery?
> This could slow down connections a lot, especially if you have a
> "defragment always" firewall AFIAK.

I wasn't very clear it seems. I meant: When path MTU discovery
(and obeying the gotten values, of course:) is a common
technique, fragmentation shouldn't have to happen at all. So I
still feel that dropping fragmented packets in general to be a
valid option. It will only disturb the partners not adjusting
their MTU and thus causing problems (afford in terms of cpu
cycles and memory consumption) to me. Unless I got something
wrong (confused some layers?) in which case I'm sure you tell me
I did. (I already start to develop a feeling of this to be true.
I'll await to learn and get rid of this misbelief ...)

> > Maybe one even should drop fragmented packets in general, as
> > well as too short packets to be real and source routed
> > packets
> it's not so quite easy to drop too short packets I think.
> Telnet may send packets with just one byte date for instance.

By too short a packet I thought of "not having enough room to
even contain a full IP header and whatever is the header of the
layer above (TCP/UDP for ports, ICMP for types, etc). This
doesn't touch the length of the payload for the application.

virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76
Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@xxxxxxx
If you don't understand or are scared by any of the above
ask your parents or an adult to help you.

< Previous Next >
Follow Ups