From owner-freebsd-hackers Thu Aug 24 23:23:36 1995 Return-Path: hackers-owner Received: (from majordom@localhost) by freefall.FreeBSD.org (8.6.11/8.6.6) id XAA27760 for hackers-outgoing; Thu, 24 Aug 1995 23:23:36 -0700 Received: from gvr.win.tue.nl (gvr.win.tue.nl [131.155.210.19]) by freefall.FreeBSD.org (8.6.11/8.6.6) with ESMTP id XAA27753 for ; Thu, 24 Aug 1995 23:23:32 -0700 Received: by gvr.win.tue.nl (8.6.10/1.53) id IAA08602; Fri, 25 Aug 1995 08:22:50 +0200 From: guido@gvr.win.tue.nl (Guido van Rooij) Message-Id: <199508250622.IAA08602@gvr.win.tue.nl> Subject: Re: IPFW and SCREEND To: fenner@parc.xerox.com (Bill Fenner) Date: Fri, 25 Aug 1995 08:22:50 +0200 (MET DST) Cc: phk@freefall.freebsd.org, freebsd-hackers@freebsd.org In-Reply-To: <95Aug24.223426pdt.177475@crevenia.parc.xerox.com> from "Bill Fenner" at Aug 24, 95 10:34:19 pm X-Mailer: ELM [version 2.4 PL24] Content-Type: text Content-Length: 595 Sender: hackers-owner@freebsd.org Precedence: bulk Bill Fenner wrote: > > Actually, the minimum MTU in IPv6 is 576; the minimum MTU in IPv4 is 68. > 68 bytes is enough to get past the transport layer ports, so you should > be able to prevent this kind of attack by dropping fragments with an > offset of less than 68. This will still allow overwriting TCP options, > but it's not likely that a firewall is going to be filtering on them... Not true. an ip header kan be 60 bytes maximum (20 byte header, 40 byte options). you should at least make sure that you can 'look' to the ACK it of the TCP header. That means at least 14 bytes.. -Guido