On Thu, Sep 13, 2001 at 06:20:14AM -0000, Mohamed Maraikayar wrote:
> A basic doubt,Many places i have read,if a packet is fragmented to a tiny
> packet, routers and many firewalls allow to pass through.My doubt is if
> the router or firewall recievs a packet ,from that if it could not make
> out where this packet is going ,it should drop by acess-lists or rule
> base.
It is all about Fragments which are big enough to carry the ip-level
information. Those fragments of course can easyly be routed by routers. The
only thing which is not possible is to look at the TCP or UDP Level info
like port numbers.
Recent implementations will drop such packets, but there are a lot of broken
software out there.
AFAIK even FW1 had a problem that overlapping fragments where not detected
and passd and systems behind the firewall where able to reconstruct maicious
packets out of the fragments.
Personally I think you wont find small fragments live on the internet
(smaller than 128bytes). So it is safe to drop them like most filters do.
Greetings
Bernd
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
