Re[1] about ip fragmentation

[gregory gilbert <gilbertgregory@caramail.com>]

[-- Attachment #1: Type: text/plain, Size: 2749 bytes --]

I use the DOS ping command. The -l option allow to specify
the length ot the icmppackets.


"iptables -A FORWARD ! -f -p icmp -j DROP" should only drop
the first fragment or the unfragmented packets

Greg

> I can confirm your finding. "iptables -A FORWARD -f -p
icmp -j DROP"
> does not drop the second and further fragments of
fragmented icmp
> packets. However, "iptables -A FORWARD ! -f -p icmp -j
DROP" does
> work as predicted. Can someone shed some light on this
behavior?
>
> Ramin
> PS. I don't know which ping implementation you're using
but on my
> machine "-l" means "ping sends that many packets as fast
as
> possible before ..." and "-s" specifies the number of
data bytes
> to be sent.
>
> On Thu, May 09, 2002 at 08:51:21AM +0000, gregory gilbert
wrote:
>
> > Hi
> >
> > i am a new user of iptables and i already have a
problem :
> > i have ton conigure a firewall with iptables command. I
> > have this first very simple rule:
> >
> > iptables -A FORWARD -f -p icmp -j DROP
> >
> > i think this rule should drop any 2nd, or 3rd and so
on ...
> > fragment of a ping command.
> > But if i ping a computer and the icmp packet goes
through
> > my firewall, i can see some fragments after the
firewall (i
> > use tcpdump). It seems this rule is not applied. The
> > fragmented packets are before and after my linux
firewall.
> > So i have a question : is there any ip defragmentation
> > before the rules of the iptables are applied by the
> > firewall? I mean, i wonder if some fragments are
received
> > by iptables, or if the defragmentation occures before
(it
> > would be strange : the -f or ! -f flags exist ... so
the
> > defragmentation should occur after the iptables rules
> > application)
> > Or is there a mistake in my command? Or did i
misunderstand
> > something with iptables?
> >
> > In fact, if i just add the following command :
> >
> > iptables -A FORWARD -p icmp -j DROP
> >
> > all the packets are dropped (the first fragment, the
second
> > and so on ...).
> > But if i just want to drop the 2nd, the 3rd ...
fragments ,
> > i don't know which iptables rule to add.
> >
> > To ensure i have fragments, i ping this way :
> > ping -l 2000 x.x.x.x
> > and i can see the fragments with tcpdump.
> >
> > I really can't understand why my firewall does not
behave
> > the way i predicted. So could you help me?
> >
> > Greg
> >
_________________________________________________________
> > Envoyez des messages musicaux sur le portable de vos
amis
> > http://mobile.lycos.fr/mobile/local/sms_musicaux/
> >
>
>
>
>
______________________________________________________
Boîte aux lettres - Caramail - http://www.caramail.com