On Sun, 14 Jul 1996, Mike Shaver wrote:
> > Or just block packets that are too short to hold all the options. If you try
> > and reassemble all the fragments that opens you up to a denial of service
> > attack, and there really isn't any legitimate need to have packets that
> > short.
>
> The Linux 2.0 CONFIG_ALWAYS_DEFRAG stuff is designed to make the
> transparent proxy and NAT code more correct; otherwise, you can get
> things like PORT commands (which matter to the NAT stuff, obviously)
> split between 2 fragments.
>
> My recommendation is that the transparent proxy stuff is better than
> the NAT stuff (Darren? =) ), but it's not quite as plug-and-play.
I have no problem setting up some proxies from the FWTK, particularly since
the application I'm looking at would be predominantly Windows users who
would not be using any other services except the ones which the FWTK
already has proxies for.
Damn, now if only I could get rid of the need for NFS on my current
network and I'de have that bastid pretty tightly secured.
Craig Brozefsky cosmo @
ebs .
net
System Administrator vox: 312-226-1675
EBS.NET http://www.ebs.net
*****available for limited time only in this dimension****
References:
|
|
