Hi, I got confused over the antispoof settings. I turned on antispoof "Class C" for a 192.168.x network and wondered where the packets went :-) Now I understand how it works - or so I hope.
I think it would make more sense for the current antispoof capabilities to be a per-interface setting instead of per-network. The generated iptables rules in chain ANTISPOOF and the rules invoking the ANTISPOOF chain do not depend on the network address anyway, and you get antispoof rules for an interface if any network attached to it wants them. Probably would break backward compatibility. On the other hand, a different kind of per-network antispoof setting might be desirable: you assign a network to an interface, and packets with source addresses from that network arriving on the wrong interface get dropped and optionally logged. Might have some backward compatibility issues, too. Currently you are allowed to define the same address range multiple times (with different names and/or in different zones) and assign them to different interfaces. Finally a question regarding fragment handling: can I configure vuurmuur to allow them? I found an option to turn logging on and off but no option to forward them. Is it necessary to block them all? I cannot really demonstrate an application failing, but I remember reading about problems with windows networking. Some clients would want to download software updates dependending on available bandwidth and use a 2000 bytes ping packet for measuring. This gets split into 2 fragments on almost all networks (MTU being 1500 on ethernets). With a firewall dropping all fragments, these clients concluded they had not enough bandwidth available and never got any software updates. Regards Matthias Ferdinand ------------------------------------------------------------------------------ Own the Future-Intel® Level Up Game Demo Contest 2013 Rise to greatness in Intel's independent game demo contest. Compete for recognition, cash, and the chance to get your game on Steam. $5K grand prize plus 10 genre and skill prizes. Submit your demo by 6/6/13. http://p.sf.net/sfu/intel_levelupd2d _______________________________________________ Vuurmuur-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/vuurmuur-users
