From owner-freebsd-security Tue Jan 11 23:34: 5 2000 Delivered-To: freebsd-security@freebsd.org Received: from mentisworks.com (valkery.mentisworks.com [207.227.89.226]) by hub.freebsd.org (Postfix) with ESMTP id 2CC1214FD2 for ; Tue, 11 Jan 2000 23:34:03 -0800 (PST) (envelope-from nathank@mentisworks.com) Received: from [24.29.246.53] (HELO mentisworks.com) by mentisworks.com (CommuniGate Pro SMTP 3.2b9) with ESMTP id 651408 for freebsd-security@freebsd.org; Wed, 12 Jan 2000 01:34:10 -0600 Received: from [192.168.245.111] (HELO mentisworks.com) by mentisworks.com (CommuniGate Pro SMTP 3.2b9) with ESMTP id 2350012 for freebsd-security@freebsd.org; Wed, 12 Jan 2000 01:34:07 -0600 Message-ID: <387C2DBF.B5D8FB73@mentisworks.com> Date: Wed, 12 Jan 2000 01:31:11 -0600 From: Nathan Kinsman Organization: Mentisworks, LLC X-Mailer: Mozilla 4.7 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Re: Ensuring packet defragmentation in FreeBSD? References: <200001110604.RAA07943@cairo.anu.edu.au> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Darren Reed wrote: > > In some mail from James Wyatt, sie said: > > > > I've been looking at sevral programs to help test client setups and > > learning how they work. I noticed in the nmap manpage, it states: > > > > "...this method won't get by packet filters and firewalls that > > queue all IP fragments (like the CONFIG_IP_ALWAYS_DEFRAG option > > in the Linux kernel),..." > > > > Does FreeBSD queue packet fragments and/or reassemble them in a way I can > > detect this probing by fragmented packets? Which files should I look in? > > You don't really want to do this anyway...the current maintainer of > the linux firewalling code has made some nasty comments about the > side effects of this behaviour. I have found the following rule used with Darren's IPFilter to be a usefull alternative: # Block any packets which are too short to be real. block in quick all with short If you use Snort NIDS software, you can also use this rule to alert you to small fragments: preprocessor minfrag: 128 Both IPFilter and Snort run very well, with low overhead on FreeBSD. > > Darren > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Nathan Kinsman To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message