Re: [m0n0wall] fragmented packets

From:	GooDieZ <comanche at volja dot net>
To:	m0n0wall at lists dot m0n0 dot ch
Subject:	Re: [m0n0wall] fragmented packets
Date:	Mon, 1 Mar 2004 19:04:32 +0100

dunno about other apps an DoS atacks, but I personally only needed this 
fragmetation to be enabled for some game servers.


On Monday 01 of March 2004 18:32, Bart Smit wrote:
> In the firewall rules, there is an option "Allow fragmented packets"
> with a description suggesting that it should be normally off. This is
> also the default.
>
> I don't quite understand this. How is disallowing fragmentation a sane
> default? Shouldn't you only disallow fragmentation in cases where you
> are quite certain that fragmentation cannot happen?!
>
> I would say that this is almost never the case, and certainly not if you
> have no a priori knowledge about the networks that incoming packets have
> travelled over.
>
> So I always check the "Allow fragmented packets" box. Just how much
> extra load does this put on m0n0wall? And how exactly does this make me
> vulnerable for DOS attacks?
>
> --Bart
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch