f



Should I block Fragmented IP Packets?

I'm using a Linksys Wireless-G Cable Gateway. One of the firewall settings 
is to block fragmented IP packets. Should I? Or will this cause connection 
problems.

Also, should I filter multicast?

Thanks for any info...I'm new to this.

Kyle
0
kyle_st (18)
11/19/2005 2:02:23 PM
comp.security.firewalls 10672 articles. 0 followers. dfinc1988 (97) is leader. Post Follow

2 Replies
2533 Views

Similar Articles

[PageSpeed] 39

Kyle Stedman <kyle_st@yahoo.com> wrote:
> I'm using a Linksys Wireless-G Cable Gateway. One of the firewall settings 
> is to block fragmented IP packets. Should I? Or will this cause connection 
> problems.
> 
> Also, should I filter multicast?
> 
> Thanks for any info...I'm new to this.
> 
> Kyle

In both cases, 'it depends'. Disabling fragmented IP *usually* works,
because in most cases, the hosts will use PMTUD (Path Maximum Transfer
Unit Discovery) and adjust the size of the IP packets they are sending
accordingly.

*However*, many IPSec implementations do not, and IPSec is widely used
for VPNs.

I'd venture a guess that if you are not establishing IPSec connections
from behind the firewall, or doing other fancy networking stuff that's
so complicated you *will* know if you do it, you can safely disable
fragmented IP.

Filtering multicast depends on if you use it. I don't see much benefit
in disabling it, except perhaps as a small measure to make DoS slightly
less easy, but it isn't used too much either. You could disable it and
see if anything, in particular mbone-based stuff and some p2p apps,
breaks.

More important is to make sure to use proper security between all the
hosts and the firewall. WEP is pretty useless, and WPA makes it as good
as a regular ethernet switch with a dozen cables running out of your
house, under the front door. I've heard MAC poisoning and the like is
pretty dangerous; search the web, or the archives of a security list
like Full-Disclosure, for this.

		Joachim
0
11/19/2005 3:34:02 PM
jKILLSPAM.schipper@math.uu.nl wrote in
news:437f45ea$0$33780$dbd41001@news.wanadoo.nl: 

> Kyle Stedman <kyle_st@yahoo.com> wrote:
>> I'm using a Linksys Wireless-G Cable Gateway. One of the firewall
>> settings is to block fragmented IP packets. Should I? Or will this
>> cause connection problems.
>> 
>> Also, should I filter multicast?
>> 
>> Thanks for any info...I'm new to this.
>> 
>> Kyle
> 
> In both cases, 'it depends'. Disabling fragmented IP *usually* works,
> because in most cases, the hosts will use PMTUD (Path Maximum Transfer
> Unit Discovery) and adjust the size of the IP packets they are sending
> accordingly.
> 
> *However*, many IPSec implementations do not, and IPSec is widely used
> for VPNs.
> 
> I'd venture a guess that if you are not establishing IPSec connections
> from behind the firewall, or doing other fancy networking stuff that's
> so complicated you *will* know if you do it, you can safely disable
> fragmented IP.
> 
> Filtering multicast depends on if you use it. I don't see much benefit
> in disabling it, except perhaps as a small measure to make DoS
> slightly less easy, but it isn't used too much either. You could
> disable it and see if anything, in particular mbone-based stuff and
> some p2p apps, breaks.
> 
> More important is to make sure to use proper security between all the
> hosts and the firewall. WEP is pretty useless, and WPA makes it as
> good as a regular ethernet switch with a dozen cables running out of
> your house, under the front door. I've heard MAC poisoning and the
> like is pretty dangerous; search the web, or the archives of a
> security list like Full-Disclosure, for this.
> 
>           Joachim
> 

Thanks Joachim!  I appreciate the explanations and advice.

Kyle

0
kyle_st (18)
11/19/2005 3:50:40 PM
Reply:

Similar Artilces:

when a router is routing an ip packet from one host, will it add its own ip address into the ip packet as additional ip address?
when a router is routing an ip packet from one host, will it add its own ip address into the ip packet as additional ip address(without changing the source and destination). In article <1163501224.005221.86810@b28g2000cwb.googlegroups.com>, subscribe <samplestrategy@gmail.com> wrote: >when a router is routing an ip packet from one host, will it add its >own ip address into the ip packet as additional ip address(without >changing the source and destination). No. The destination MAC will change and the router will recalculate the CRC, but the IP addresses do no...

IP ip iP Ip IP ip iP Ip IP ip iP Ip IP ip iP Ip 0021275831620
IP ip iP Ip IP ip iP Ip IP ip iP Ip IP ip iP Ip IP ip iP Ip IP ip iP Ip IP ip iP Ip IP ip iP Ip IP ip iP Ip IP ip iP Ip IP ip iP Ip IP ip iP Ip IP ip iP Ip IP ip iP Ip IP ip iP Ip IP ip iP Ip IP ip iP Ip IP ip iP Ip IP ip iP Ip IP ip iP Ip IP ip iP Ip IP ip iP Ip IP ip iP Ip IP ip iP Ip IP ip iP Ip IP ip iP Ip IP ip iP Ip IP ip iP Ip IP ip iP Ip IP ip iP Ip IP ip iP Ip IP ip iP Ip IP ip iP Ip IP ip iP Ip IP ip iP Ip IP ip iP Ip IP ip iP Ip IP ip iP Ip IP ip iP Ip IP ip iP Ip IP ip iP Ip IP ip iP Ip IP ip iP Ip IP ip iP Ip IP ip iP Ip IP ip iP Ip IP ip iP Ip IP ip iP Ip IP ip iP Ip IP ip iP Ip ...

Security programs 2005 - , Firewall programs 2005 -, Antivirus programs 2005 -, APPDEV DOT NET SECURITY, Linux Security and Firewall programs 2005 -, CiscoWorks ( CW ) Security programs 2005
Security programs 2005 - , Firewall programs 2005 -, Antivirus programs 2005 -, APPDEV DOT NET SECURITY, Linux Security and Firewall programs 2005 -, CiscoWorks ( CW ) Security programs 2005 - , ---------------------------------------------------------------------------- Security programs 2005 - Utimaco SafeGuard Advanced Security v4.30.0.335 Multi CD NR 17 543 Utimaco SafeGuard Advanced Security v4.30.0.335 Terminal Server Base Module Multi CD NR 17 544 Utimaco SafeGuard Advanced Security v4.30.0.335 Terminal Ser...

Security programs 2005 - , Firewall programs 2005 -, Antivirus programs 2005 -, APPDEV DOT NET SECURITY, Linux Security and Firewall programs 2005 -, CiscoWorks ( CW ) Security programs 2005
Security programs 2005 - , Firewall programs 2005 -, Antivirus programs 2005 -, APPDEV DOT NET SECURITY, Linux Security and Firewall programs 2005 -, CiscoWorks ( CW ) Security programs 2005 - , ---------------------------------------------------------------------------- Security programs 2005 - Utimaco SafeGuard Advanced Security v4.30.0.335 Multi CD NR 17 543 Utimaco SafeGuard Advanced Security v4.30.0.335 Terminal Server Base Module Multi CD NR 17 544 Utimaco SafeGuard Advanced Security v4.30.0.335 ...

Security programs 2005 - , Firewall programs 2005 -, Antivirus programs 2005 -, APPDEV DOT NET SECURITY, Linux Security and Firewall programs 2005 -, CiscoWorks ( CW ) Security programs 2005
Security programs 2005 - , Firewall programs 2005 -, Antivirus programs 2005 -, APPDEV DOT NET SECURITY, Linux Security and Firewall programs 2005 -, CiscoWorks ( CW ) Security programs 2005 - , ---------------------------------------------------------------------------- Security programs 2005 - Utimaco SafeGuard Advanced Security v4.30.0.335 Multi CD NR 17 543 Utimaco SafeGuard Advanced Security v4.30.0.335 Terminal Server Base Module Multi CD NR 17 544 Utimaco SafeGuard Advanced Security v4.30.0.335 ...

Security programs 2005 - , Firewall programs 2005 -, Antivirus programs 2005 -, APPDEV DOT NET SECURITY, Linux Security and Firewall programs 2005 -, CiscoWorks ( CW ) Security programs 2005
Security programs 2005 - , Firewall programs 2005 -, Antivirus programs 2005 -, APPDEV DOT NET SECURITY, Linux Security and Firewall programs 2005 -, CiscoWorks ( CW ) Security programs 2005 - , ---------------------------------------------------------------------------- Security programs 2005 - Utimaco SafeGuard Advanced Security v4.30.0.335 Multi CD NR 17 543 Utimaco SafeGuard Advanced Security v4.30.0.335 Terminal Server Base Module Multi CD NR 17 544 Utimaco SafeGuard Advanced Security v4.30.0.335 Terminal Ser...

pgp programs 2005 -, Security programs 2005
pgp programs 2005 -, Security programs 2005 - , Firewall programs 2005 -, Antivirus programs 2005 -, APPDEV DOT NET SECURITY, Linux Security and Firewall programs 2005 -, CiscoWorks ( CW ) Security programs 2005 - , ---------------------------------------------------------------------------- pgp programs 2005 - PGP.CommandLine.for.Linux.v8.5.0 PGP.CommandLine.for.Solaris.v8.5.0 PGP.CommandLine.v8.5.0 (week 31/2004) PGP.Desktop.v8.1.for.Windows PGP.Personal.Desktop.v8.1.for.Macintosh (week 26/2004) PGP.Enterprise.v8.0.3 (week 49/20030 PGP.v8.0.3 (week 42/2003) 15/...

pgp programs 2005 -, Security programs 2005
pgp programs 2005 -, Security programs 2005 - , Firewall programs 2005 -, Antivirus programs 2005 -, APPDEV DOT NET SECURITY, Linux Security and Firewall programs 2005 -, CiscoWorks ( CW ) Security programs 2005 - , ---------------------------------------------------------------------------- pgp programs 2005 - PGP.CommandLine.for.Linux.v8.5.0 PGP.CommandLine.for.Solaris.v8.5.0 PGP.CommandLine.v8.5.0 (week 31/2004) PGP.Desktop.v8.1.for.Windows PGP.Personal.Desktop.v8.1.for.Macintosh (week 26/2004) PGP.Enterprise.v8.0.3 (week 49/20030 PGP.v8.0.3 (week 42/2003) 15/...

How to block fragmented UDP packets
Thanks google i read that using u32 module i can stop fragmented udp packets. I have router with nat and conntrack and I cannot manage bandwidth of these packets so I decided to cut them. I found the rule: iptables -m u32 --u32 "3&0x20=0x20" or |iptables -m u32 --u32 "3&0x20>>5=1" or ||"4&0x3FFF=1:0x3FFF" but none works. I have to add that these packets cannot be clasified using HTB rules and filters. Hello, tomek@e-fekt.net a �crit : > Thanks google i read that using u32 module i can stop fragmented udp > packets. I have router with nat...

firewall blocks retransmitted packet?
Hello! I have the following problem: 1) There is a server with an apache 2.0.40 webserver on it. 2) At least one firewall is between the internet and this webserver. 3) When I look at a tcpdump from the server I recognize this: The server gets a request from the client. Then the server sends his html-page to the client. Sometimes, after a certain amount of sent packets, a lot of ACK-packets for the same packet arrive at the server. This means of course (fast retransmission), that the browser-client or some other defragmenting station got an out-of-order packet and want a retransmission. So th...

Packet filtering firewall with IP CHAINS
Hi all, I want to set up a packet filtering firewall for my dsl connection. The linux box has two ethernet interfaces � eth0 is connected to the internal network, eth1 to the internet. I'm using Trustix Linux 1.5 which has a 2.2 kernel which is why I'm using ipchains instead of iptables. I started by reading the IPCHAINS-HOWTO and then finally did my own configuration according to the "Serious Example" in chapter 7. Here it is: Set all filtering rules to DENY all (except for lo): Ipchains �A input �i ! lo �j DENY Ipchains �A output �i ! lo �j DENY Ipchains �A forward �j ...

Blocking IP/MAC address with firewall...
I have a server running SQL Server. I want the database to be accessable to some other computers over the internet. Simply opening the SQL port would be very insecure. Also, I don't think that using a VPN would be very practical for what I'm looking to do. I'm thinking that the best solution would be to use a firewall that can block computers based on their IP or MAC address. So it would have a list of IPs or MAC addresses that would be allowed to get through to the SQL port and all other computers would be blocked and could not access SQL server. Is it possible to do this using ...

Cheap hardware firewall with IP blocking
I'm setting up some PCs on broadband ethernet connections and need to restrict inbound connections by IP address. We've used various software solutions, but they take too much CPU. The Cisco Soho 91 and 71 routers look good, but I'd like to find something cheaper (below $200?). Any suggestions would be appreciated. Bruce "Bruce McClinton" <bruce_mcclinton@yahoo.com> wrote in message news:b04a45ca.0310291107.19939924@posting.google.com... > I'm setting up some PCs on broadband ethernet connections and need to > restrict inbound connections by IP addre...

Stalker MSN blocking IP in firewall?
Hello, I am being stalked on MSN by someone who makes up a lot of different identities and ads me to MSN from many different accounts. At first I wasn't aware of this, now I am and I also found a way to figure out if someone who adds me is this person again. I know his/her IP. Can I somehow block this person's IP so that he/she won't be able to contact me through MSN anymore and/or contact me in any chatroom? I use Norton Internet Security 2004. Thanks, Rik. "RvV" <globalinsites.removethis@hotmail.com> banged on the keyboard until producing news:411700a4$0$300...

Web resources about - Should I block Fragmented IP Packets? - comp.security.firewalls

Fragmented Screen - Flickr - Photo Sharing!
This is my severely fragmented drive...What a difference 3 months makes!!

Turnbull's fragmented NBN ...
Letting telcos cherry-pick profitable suburbs will put us right back where we started – with Telstra holding the country to ransom.

A fragmented approach to cancer may strengthen it
Radiologist using maths to study cancer believes science is helping the disease evolve to be stronger.

PopCap Games CEO: Android still too fragmented, China helping company innovate
Android's increased fragmentation across hardware devices and OS versions, and its lack of a central app store, have left game developers disappointed ...

Bo Xilai trial nods to China's nascent civil society, fragmented power of elites
Sydney Morning Herald Bo Xilai trial nods to China's nascent civil society, fragmented power of elites Sydney Morning Herald Comment. Former ...

Turnbull's fragmented NBN ...
Letting telcos cherry-pick profitable suburbs will put us right back where we started – with Telstra holding the country to ransom.

Turnbull's fragmented NBN ...
Letting telcos cherry-pick profitable suburbs will put us right back where we started – with Telstra holding the country to ransom.

Fragmented reefs can be good for ecology
Breakup benefits Fragmented coral reef habitats aren't always bad for the ecology, say Australian researchers, and can even be helpful. This ...

Toddler's death reveals 'fragmented' social services approach
Nova Scotia's acting ombudsman has identified several shortcomings in the way the province dealt with the case of a toddler who died four years ...

In a Fragmented Social World, Influencers Rule
In a Fragmented Social World, Influencers Rule

Resources last updated: 2/6/2016 11:48:24 PM