LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 09-01-2003, 10:22 AM   #1
qwijibow
LQ Guru
 
Registered: Apr 2003
Location: nottingham england
Distribution: Gentoo
Posts: 2,672

Rep: Reputation: 47
iptables (Fragmented packets)


could som1 please explain the following to me asif i were a 10 year old ????

Match -f, --fragment

Example iptables -A INPUT -f

Explanation :
This match is used to match the second and third part of a fragmented packet. The reason for this is that in the case of fragmented packets, there is no way to tell the source or destination ports of the fragments, nor ICMP types, among other things. Also, fragmented packets might in rather special cases be used to compound attacks against other computers. Packet fragments like this will not be matched by other rules, and hence this match was created. This option can also be used in conjunction with the ! sign; however, in this case the ! sign must precede the match, i.e. ! -f. When this match is inverted, we match all header fragments and/or unfragmented packets. What this means, is that we match all the first fragments of fragmented packets, and not the second, third, and so on. We also match all packets that have not been fragmented during transfer. Note also that there are really good defragmentation options within the kernel that you can use instead. As a secondary note, if you use connection tracking you will not see any fragmented packets, since they are dealt with before hitting any chain or table in iptables.

should i use the ! -f match in all my rules then ????
 
Old 09-01-2003, 11:12 PM   #2
ppuru
Senior Member
 
Registered: Mar 2003
Location: Beautiful BC
Distribution: RedHat & clones, Slackware, SuSE, OpenBSD
Posts: 1,791

Rep: Reputation: 50
you can discard fragments if your system is not acting as a router

iptables -A INPUT -f -j DROP

Other revered Gurus, please correct me.
 
Old 09-02-2003, 07:40 AM   #3
qwijibow
LQ Guru
 
Registered: Apr 2003
Location: nottingham england
Distribution: Gentoo
Posts: 2,672

Original Poster
Rep: Reputation: 47
ahh thanX.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
IPTABLES - How to allow all packets from a certain address exitsfunnel Linux - Networking 3 09-06-2005 11:35 PM
Forwarding packets with Iptables DrunkenDisciple Linux - Software 2 07-25-2005 12:00 AM
how netfilter handles fragmented packets??? cranium2004 Linux - Networking 1 11-21-2004 01:47 PM
iptables won't let packets in - check please? Simon Bridge Linux - Security 3 01-26-2004 02:49 PM
iptables won't let packets in - check please? Simon Bridge Linux - Security 1 01-23-2004 10:26 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 01:34 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration