From owner-freebsd-hackers Fri Aug 25 02:39:26 1995 Return-Path: hackers-owner Received: (from majordom@localhost) by freefall.FreeBSD.org (8.6.11/8.6.6) id CAA19964 for hackers-outgoing; Fri, 25 Aug 1995 02:39:26 -0700 Received: from critter.tfs.com ([140.145.230.252]) by freefall.FreeBSD.org (8.6.11/8.6.6) with ESMTP id CAA19954 for ; Fri, 25 Aug 1995 02:39:23 -0700 Received: from localhost (localhost [127.0.0.1]) by critter.tfs.com (8.6.11/8.6.9) with SMTP id CAA00681; Fri, 25 Aug 1995 02:37:12 -0700 X-Authentication-Warning: critter.tfs.com: Host localhost didn't use HELO protocol To: guido@gvr.win.tue.nl (Guido van Rooij) cc: fenner@parc.xerox.com (Bill Fenner), phk@freefall.freebsd.org, freebsd-hackers@freebsd.org Subject: Re: IPFW and SCREEND In-reply-to: Your message of "Fri, 25 Aug 1995 08:22:50 +0200." <199508250622.IAA08602@gvr.win.tue.nl> Date: Fri, 25 Aug 1995 02:37:12 -0700 Message-ID: <679.809343432@critter.tfs.com> From: Poul-Henning Kamp Sender: hackers-owner@freebsd.org Precedence: bulk > Bill Fenner wrote: > > > > Actually, the minimum MTU in IPv6 is 576; the minimum MTU in IPv4 is 68. > > 68 bytes is enough to get past the transport layer ports, so you should > > be able to prevent this kind of attack by dropping fragments with an > > offset of less than 68. This will still allow overwriting TCP options, > > but it's not likely that a firewall is going to be filtering on them... > > Not true. an ip header kan be 60 bytes maximum (20 byte header, 40 byte > options). you should at least make sure that you can 'look' to the > ACK it of the TCP header. That means at least 14 bytes.. I'm pretty sure that you wont get bit by denying any fragments starting < 256 bytes. -- Poul-Henning Kamp | phk@FreeBSD.ORG FreeBSD Core-team. http://www.freebsd.org/~phk | phk@login.dknet.dk Private mailbox. whois: [PHK] | phk@ref.tfs.com TRW Financial Systems, Inc. Just that: dried leaves in boiling water ?