Disabling packet fragmentetion
blancher at cartel-securite.fr
Mon Jan 30 19:51:04 CET 2006
Le lundi 30 janvier 2006 à 15:24 -0300, Alejandro Cabrera Obed a écrit :
> Where do I have to discard the packet fragmentation in my firewall, using a
> specific iptables rule or in the kernel settings (maybe at
> /proc/sys/net/ipv4) ???
AFAIK, if you use Netfilter conntrack, all IP traffic is defragmented so
your backend network won't see any fragmented packets.
If you really want to drop fragmented packets, you can use proper
iptables switch, as described in manpage:
[!] -f, --fragment
This means that the rule only refers to second and further
fragments of fragmented packets. Since there is no way to
tell the source or destination ports of such a packet (or
ICMP type), such a packet will not match any rules which
specify them. When the "!" argument precedes the "-f"
flag, the rule will only match head fragments, or
But you don't filter first packet fragment out.
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!
More information about the netfilter