Date: Fri, 25 Aug 1995 08:22:50 +0200 (MET DST) From: guido@gvr.win.tue.nl (Guido van Rooij) To: fenner@parc.xerox.com (Bill Fenner) Cc: phk@freefall.freebsd.org, freebsd-hackers@freebsd.org Subject: Re: IPFW and SCREEND Message-ID: <199508250622.IAA08602@gvr.win.tue.nl> In-Reply-To: <95Aug24.223426pdt.177475@crevenia.parc.xerox.com> from "Bill Fenner" at Aug 24, 95 10:34:19 pm
next in thread | previous in thread | raw e-mail | index | archive | help
Bill Fenner wrote: > > Actually, the minimum MTU in IPv6 is 576; the minimum MTU in IPv4 is 68. > 68 bytes is enough to get past the transport layer ports, so you should > be able to prevent this kind of attack by dropping fragments with an > offset of less than 68. This will still allow overwriting TCP options, > but it's not likely that a firewall is going to be filtering on them... Not true. an ip header kan be 60 bytes maximum (20 byte header, 40 byte options). you should at least make sure that you can 'look' to the ACK it of the TCP header. That means at least 14 bytes.. -Guido
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199508250622.IAA08602>