> 1. Fragmenting packets so that port information is passed in second
> packet and the filter only looks at first so it lets it go thru. I
> know this is a possibility with various packet filtering firewalls on
> the market now. Linux 2.0 has an option to re-assemble all fragmented
> packets going thru it before applying the filter which stops it.
Or just block packets that are too short to hold all the options. If you try
and reassemble all the fragments that opens you up to a denial of service
attack, and there really isn't any legitimate need to have packets that