Phonix wrote:
>
> Well, you can, to a point. If you're keeping track of fragment info, you
> can still verify the integrity of all the pieces that have passed, and if
> a fragment comes in (in whatever order) that would create an invalid
> packet when reassembled, you should be able to reject the fragment
> then.
Ehm... This sounds dangerous to me. One thing you _cannot_ do
is let fragments through where you haven't received the first
fragment covering the TCP/UDP/whatever header. If you haven't
seen that, you won't even know if the packet should be
permitted in the first place!
Hence, you'll have to be prepared to buffer packets anyway, so why
not do it the right way while you're at it? :-)
/Mike
--
Mikael Olsson, EnterNet Sweden AB, Box 393, SE-891 28 �RNSK�LDSVIK
Phone: +46-(0)660-29 92 00 Fax: +46-(0)660-122 50
Mobile: +46-(0)70-66 77 636
WWW: http://www.enternet.se E-mail: [EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
