Fragments and connection tracking
John A. Sullivan III
jsullivan at opensourcedevel.com
Wed Jun 22 20:35:37 CEST 2005
We are working to use an iptables based VPN for a client where teh
certificates do not fit into a single packet. Thus we have a
fragmentation problem. We normally drop all fragments on the Internet
interfaces in our rule sets. We are a little hesitant to stop doing so.
Does connection tracking make it safe to do so or does it make it more
dangerous? I understand that connection tracking will reassemble the
fragments. If someone is trying to attack by sending lots of non-head
fragments, will connection tracking drop those as invalid or will this
produce a denial of service attack as connection tracking tries to match
a flood of fragments without first fragments? Thanks - John
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com
If you would like to participate in the development of an open source
enterprise class network security management system, please visit
http://iscs.sourceforge.net
More information about the netfilter
mailing list