In some mail from Mike Shaver, sie said:
>
> Thus spake Peter da Silva:
> >
> > > Linux 2.0 has an option to re-assemble all fragmented
> > > packets going thru it before applying the filter which stops it.
> >
> > Or just block packets that are too short to hold all the options. If you try
> > and reassemble all the fragments that opens you up to a denial of service
> > attack, and there really isn't any legitimate need to have packets that
> > short.
>
> The Linux 2.0 CONFIG_ALWAYS_DEFRAG stuff is designed to make the
> transparent proxy and NAT code more correct; otherwise, you can get
> things like PORT commands (which matter to the NAT stuff, obviously)
> split between 2 fragments.
Just quickly, I sometimes wonder about the wisdom of those adding these
featurisms to Linux. At least I think I remember being taught in
networking classes how it is bad for a routing box to try reassemble
entire packets rather than just endpoints.
[I wonder if proxies/relays fit into this category too...]
The problem being delt with is where NAT meets proxy (effectively).
Unless the NAT uses a proxy of sorts to deal with translating addresses
inside any layer above transport, it is not going to be a bug-free NAT.
Well, this depends on how you define NAT...
> My recommendation is that the transparent proxy stuff is better than
> the NAT stuff (Darren? =) ), but it's not quite as plug-and-play.
I would NOT use NAT if I wanted to make sure FTP/Real Audio, etc, worked...
Darren
Follow-Ups:
References:
|
|
