On Monday 06 of August 2012 20:00EN, rahul shrivastava wrote:
>
> my objective is to drop all fragmented packets on my system
> following rules are used
Not a good idea, IMHO.
> iptables -A INPUT -f -j DROP
> iptables -A OUTPUT -f -j DROP
> iptables -A FORWARD -f -j DROP
This doesn't drop every fragmented packet, only second and further
fragments. Thus the first fragment passes through, waits in a queue
until it times out (30 seconds on my system) and then causes a
"fragmentation timeout exceeded" ICMP message.
> i am using ping -s 32768 10.2.2.2 for generating fragments
You should at least tell where are the rules from above set. On the
system sending the packets, on the system receiving the packets or
somewhere between them? Also don't forget to mention the kernel version.
Michal Kubeček
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
