Thats not what a asked. Assuming conn-track works fine and my ip-filter decides to drop the package. When will this take place ? Before defragmenting packet or with defragmented packets,. The last case means such an exploit would work. Thats more than theoretical. If you do not know where the bug is (if there is one) then why making the assumption that part X is safe?
Simply because not the netfilter code was adressed to be buggy, but the tcp "stack" implementaion.
It will probably only put you into wrong feeling of security if such a bug really exists.
No, dont think so. That is why i asked that theoretical question which is not answered until know. Will netfilter block such kind of packets when a attacker tries to root my box ??? Or is a malicious packets handled by the kernel before netfilter comes to inspect them ???
Who tells that such a fragmented packet does not belong to a connection at all? :) If you have a public webserver I guess its easy to have fragmented packets for a tracked connection.
This is another possibility to get infected, but it doesnt affect e.g. vpn router.
Anyway, its probably not necessary to discuss that if noone knows any details.
Dont think so. Its always good to talk about. GTIF Michael