|
||||||||
Hi Bart, On Tue, 2004-03-02 at 03:32, Bart Smit wrote: > In the firewall rules, there is an option "Allow fragmented packets" > with a description suggesting that it should be normally off. This is > also the default. > > I don't quite understand this. How is disallowing fragmentation a sane > default? Shouldn't you only disallow fragmentation in cases where you > are quite certain that fragmentation cannot happen?! > > I would say that this is almost never the case, and certainly not if you > have no a priori knowledge about the networks that incoming packets have > travelled over. > > So I always check the "Allow fragmented packets" box. Just how much > extra load does this put on m0n0wall? And how exactly does this make me > vulnerable for DOS attacks? You should do some googling for attacks using fragmented packets. Unless you KNOW you need to enable this, it should always be disabled for security reasons. -- Regards, Hilton Travis Phone: +61-(0)7-3343-3889 Manager, Quark AudioVisual Phone: +61-(0)419-792-394 Quark Computers http://www.QuarkAV.com/ (Brisbane, Australia) http://www.QuarkAV.net/ Open Source Projects: http://www.ares-desktop.org/ http://www.mamboband.org/ Non Linear Video Editing Solutions & Digital Audio Workstations Network Administration, SmoothWall Firewalls, NOD32 AntiVirus Conference and Seminar AudioVisual Production and Recording War doesn't determine who is right. War determines who is left. |