Hi all,
the filtering howto states:
"If you are doing connection tracking or NAT, then all fragments will get
merged back together before they reach the packet filtering code, so you
need never worry about fragments."
This fits to my observation regarding NAT: i send out fragmented ICMP packages
with sing and they were reassembled before they left the outbound wire.
But it also says:
"Usually it is regarded as safe to let second and further fragments through,
since filtering will effect the first fragment, and thus prevent reassembly
on the target host; however, bugs have been known to allow crashing of
machines simply by sending fragments. Your call."
(talking about the -f flag)
Does that mean that fragments allways will be reassembled before they get
forwarded when you use connection tracking a/o NAT?
It's looks like that for me - never had problems with fragments, though. I'm
just asking because i'm just creating a big testcase-scenario for a acceptance
of a new firewall i just build for a customer.
I'm just curious. Haven't thought about it for a long time since the
filtering-code became stateful...
Thanks,
Alex.
--
"Obviously Linux owes its heritage to UNIX, but not its code.
We would not, nor will not, make such a claim."
-- Darl McBride, August 28th 2002
Attachment:
pgp00604.pgp
Description: PGP signature
