[ previous ] [ next ] [ threads ]
 From:  Bart Smit <bit at pipe dot nl>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  fragmented packets
 Date:  Mon, 01 Mar 2004 18:32:43 +0100
In the firewall rules, there is an option "Allow fragmented packets"
with a description suggesting that it should be normally off. This is
also the default.

I don't quite understand this. How is disallowing fragmentation a sane
default? Shouldn't you only disallow fragmentation in cases where you
are quite certain that fragmentation cannot happen?!

I would say that this is almost never the case, and certainly not if you
have no a priori knowledge about the networks that incoming packets have
travelled over.

So I always check the "Allow fragmented packets" box. Just how much
extra load does this put on m0n0wall? And how exactly does this make me
vulnerable for DOS attacks?