Date: Wed, 12 Jan 2000 01:31:11 -0600 From: Nathan Kinsman <nathank@mentisworks.com> To: freebsd-security@freebsd.org Subject: Re: Ensuring packet defragmentation in FreeBSD? Message-ID: <387C2DBF.B5D8FB73@mentisworks.com> References: <200001110604.RAA07943@cairo.anu.edu.au>
next in thread | previous in thread | raw e-mail | index | archive | help
Darren Reed wrote: > > In some mail from James Wyatt, sie said: > > > > I've been looking at sevral programs to help test client setups and > > learning how they work. I noticed in the nmap manpage, it states: > > > > "...this method won't get by packet filters and firewalls that > > queue all IP fragments (like the CONFIG_IP_ALWAYS_DEFRAG option > > in the Linux kernel),..." > > > > Does FreeBSD queue packet fragments and/or reassemble them in a way I can > > detect this probing by fragmented packets? Which files should I look in? > > You don't really want to do this anyway...the current maintainer of > the linux firewalling code has made some nasty comments about the > side effects of this behaviour. I have found the following rule used with Darren's IPFilter to be a usefull alternative: # Block any packets which are too short to be real. block in quick all with short If you use Snort NIDS software, you can also use this rule to alert you to small fragments: preprocessor minfrag: 128 Both IPFilter and Snort run very well, with low overhead on FreeBSD. > > Darren > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Nathan Kinsman To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?387C2DBF.B5D8FB73>