We are working to use an iptables based VPN for a client where teh certificates do not fit into a single packet. Thus we have a fragmentation problem. We normally drop all fragments on the Internet interfaces in our rule sets. We are a little hesitant to stop doing so. Does connection tracking make it safe to do so or does it make it more dangerous? I understand that connection tracking will reassemble the fragments. If someone is trying to attack by sending lots of non-head fragments, will connection tracking drop those as invalid or will this produce a denial of service attack as connection tracking tries to match a flood of fragments without first fragments? Thanks - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan@xxxxxxxxxxxxxxxxxxx If you would like to participate in the development of an open source enterprise class network security management system, please visit http://iscs.sourceforge.net
