[265] in linux-security and linux-alert archive
Re: Fragmentation
daemon@ATHENA.MIT.EDU (Alan Cox)
Tue Jun 20 20:42:43 1995
From: iialan@iifeak.swan.ac.uk (Alan Cox)
To: panzer@dhp.com (Panzer Boy)
Date: Tue, 20 Jun 1995 09:20:18 +0100 (BST)
Cc: linux-security@tarsier.cv.nrao.edu
In-Reply-To: <3rolg0$4th@dhp.com> from "Panzer Boy" at Jun 15, 95 02:54:56 am
> Anyone know about linux's ip firewall ability concerning packet
> fragmentation. It's currently the "hot thing" as even cisco's are
> vulnerable (if you don't have current patch).
Linux passes all but the first fragment. It could be extended to check all
rules that dont require a port match on the scan.
> My guess is that it shouldn't be as the firewall code should be called
> after all packets are reassembled, though I've learned to never assume
> things when it comes to security.
Fragments can take different routes so if you have >1 gateway box you
lose. This is why fragments are only assembled on the target host.
Alan
