Date: Thu, 24 Aug 1995 22:34:19 PDT From: Bill Fenner <fenner@parc.xerox.com> To: Poul-Henning Kamp <phk@freefall.freebsd.org> Cc: freebsd-hackers@freebsd.org Subject: Re: IPFW and SCREEND Message-ID: <95Aug24.223426pdt.177475@crevenia.parc.xerox.com> In-Reply-To: Your message of "Wed, 23 Aug 95 00:18:44 PDT." <199508230718.AAA16049@freefall.FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <199508230718.AAA16049@freefall.FreeBSD.org> you write: >Actually, since all IP-nets SHALL transfer a minimum MTU of 576 (or >thereabout), there is no reason to receive a fragment with an offset of less. Actually, the minimum MTU in IPv6 is 576; the minimum MTU in IPv4 is 68. 68 bytes is enough to get past the transport layer ports, so you should be able to prevent this kind of attack by dropping fragments with an offset of less than 68. This will still allow overwriting TCP options, but it's not likely that a firewall is going to be filtering on them... Bill
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?95Aug24.223426pdt.177475>