Hi,
One thing about this discussion does irritate me:
Why do firewalls (especially FW-1) forward the fragments of
fragmented ip packets ?
Why dont they just defragment the entire packet (with
appropriate largish buffers and smalish timeouts) and
then forward the unfragmented packet ? (since some sort
of defragmentation has to be performed anyway - as illustrated
by the latest DOS against FW-1 discovered by Lance Spitz -
why not do it Right and send the already reassembled packet
to the destination instead of the (probably somewhere buffered
original fragments, once the packet gets accepted ?)
Did i miss something important about IP fragments?
At least at home my linux box always defragments packets
(required by the NAT code of the kernel) and does so
without any problems (beside the occasional discovery
of yet-another-fragments-DoS) over the past years...
[btw: i have not yet tried FW-1 for linux; does it
work with the ip_always_defrag sysctl turned on?]
Firewall vendors (or OS vendors if it can be better done
inside the IP/network stack) could at least implement this
as an "optional feature" that can be turned on by people
like me :]
Dont be shy with your opinion on this question,
Juergen Meier
--
Juergen P. Meier email: [EMAIL PROTECTED]
Class GmbH Firmengruppe phone: +49 172 8379103
#include standard-disclaimer
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
