Thus spake Peter da Silva:
>
> > Linux 2.0 has an option to re-assemble all fragmented
> > packets going thru it before applying the filter which stops it.
>
> Or just block packets that are too short to hold all the options. If you try
> and reassemble all the fragments that opens you up to a denial of service
> attack, and there really isn't any legitimate need to have packets that
> short.
The Linux 2.0 CONFIG_ALWAYS_DEFRAG stuff is designed to make the
transparent proxy and NAT code more correct; otherwise, you can get
things like PORT commands (which matter to the NAT stuff, obviously)
split between 2 fragments.
My recommendation is that the transparent proxy stuff is better than
the NAT stuff (Darren? =) ), but it's not quite as plug-and-play.
Mike
--
#> Mike Shaver (shaver @
ingenia .
com) Ingenia Communications Corporation <#
#> Chief System Architect and Herder of Bits <#
#> <#
#> "Yoda say, `Just slap a little public key crypto into it' does not <#
#> a secure system make." -- Marcus J. Ranum (mjr @
clark .
net) <#
Follow-Ups:
References:
|
|
