On Sun, Apr 23, 2000 at 06:06:19PM -0400, Bennett Todd wrote:
[snip]
> If you were to simply disallow all inbound fragments, you'd see
> broken traffic coming from servers that _don't_ attempt path MTU
> discovery, if any MTU along the way is smaller than the first hop.
Should be an interesting experiment; since this is a personal project
I can always change it.
> I like using firewalls that reassemble all packets; that removes
> that worry altogether. I haven't heard of a case where it's a good
> idea to allow fragments to traverse a firewall.
Which was the other option I'm investigating. How? While I've heard
that some hardware routers (Cisco) can do this, I'm trying to implement
a single-box solution for a home DSL line on a multi-homed Sun IPX.
Currently, it's running OpenBSD, but I haven't figured out if OpenBSD/
ip_filter can "proxy-reassemble" for inside destinations. FreeBSD's
ipfw seems to do this as a side-effect or "bug" in the "tee" function,
according to the man pages.
--
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
