ipfilter "flags s keep state" question
I read a lot of rulesets for ipfilter just to study how others do the job. I've read the ipf HOWTO too. One thing is still very unclear to me though. Most rules for tcp have something like "flags S keep state" but *some* have "flags S keep state keep frags" Can someone explain to me *when* to use keep frags and when not to? The HOWTO is very unclear about this. What exactly is the use of this extra 'keep frags'? -- dick -- http://nagual.st/ -- PGP/GnuPG key: F86289CE ++ Running FreeBSD 4.11 ++ FreeBSD 5.3 + Nai tiruvantel ar vayuvantel i Valar tielyanna nu vilja ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ipfilter "flags s keep state" question
tcp rules can use 'keep frags' TCP packets allow fragmentation by intermediate routers that need re-assembly at the final destination On Wed, 2005-02-16 at 08:36, dick hoogendijk wrote: > I read a lot of rulesets for ipfilter just to study how others do the > job. > I've read the ipf HOWTO too. One thing is still very unclear to me > though. > Most rules for tcp have something like "flags S keep state" but *some* > have "flags S keep state keep frags" > > Can someone explain to me *when* to use keep frags and when not to? The > HOWTO is very unclear about this. What exactly is the use of this extra > 'keep frags'? -- Murray Taylor Special Projects Engineer - Bytecraft Systems & Entertainment P: +61 3 8710 2555 F: +61 3 8710 2599 D: +61 3 9238 4275 M: +61 417 319 256 E: [EMAIL PROTECTED] or visit us on the web http://www.bytecraftsystems.com http://www.bytecraftentertainment.com --- The information transmitted in this e-mail is for the exclusive use of the intended addressee and may contain confidential and/or privileged material. Any review, re-transmission, dissemination or other use of it, or the taking of any action in reliance upon this information by persons and/or entities other than the intended recipient is prohibited. If you received this in error, please inform the sender and/or addressee immediately and delete the material. E-mails may not be secure, may contain computer viruses and may be corrupted in transmission. Please carefully check this e-mail (and any attachment) accordingly. No warranties are given and no liability is accepted for any loss or damage caused by such matters. --- ***This Email has been scanned for Viruses by MailMarshal.*** ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ipfilter "flags s keep state" question
On 16 Feb Murray Taylor wrote: > tcp rules can use 'keep frags' > TCP packets allow fragmentation by intermediate routers > that need re-assembly at the final destination > > On Wed, 2005-02-16 at 08:36, dick hoogendijk wrote: > > I read a lot of rulesets for ipfilter just to study how others do > > the job. I've read the ipf HOWTO too. One thing is still very > > unclear to me though. Most rules for tcp have something like "flags > > S keep state" but *some* have "flags S keep state keep frags" > > > > Can someone explain to me *when* to use keep frags and when not to? > > The HOWTO is very unclear about this. What exactly is the use of > > this extra 'keep frags'? YES, I know tcp packets can get fragmented. I wander however why in most cases people just use "keep state" and *sometimes* "keep state keep frags" I really like to know when or when not to use "keep frags" In other words: when is it really useful and when is it not? -- dick -- http://nagual.st/ -- PGP/GnuPG key: F86289CE ++ Running FreeBSD 4.11 ++ FreeBSD 5.3 + Nai tiruvantel ar vayuvantel i Valar tielyanna nu vilja ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
