Should I block Fragmented IP Packets?

In both cases, 'it depends'. Disabling fragmented IP *usually* works,
because in most cases, the hosts will use PMTUD (Path Maximum Transfer
Unit Discovery) and adjust the size of the IP packets they are sending
accordingly.

*However*, many IPSec implementations do not, and IPSec is widely used
for VPNs.

I'd venture a guess that if you are not establishing IPSec connections
from behind the firewall, or doing other fancy networking stuff that's
so complicated you *will* know if you do it, you can safely disable
fragmented IP.

Filtering multicast depends on if you use it. I don't see much benefit
in disabling it, except perhaps as a small measure to make DoS slightly
less easy, but it isn't used too much either. You could disable it and
see if anything, in particular mbone-based stuff and some p2p apps,
breaks.

More important is to make sure to use proper security between all the
hosts and the firewall. WEP is pretty useless, and WPA makes it as good
as a regular ethernet switch with a dozen cables running out of your
house, under the front door. I've heard MAC poisoning and the like is
pretty dangerous; search the web, or the archives of a security list
like Full-Disclosure, for this.

        Joachim

jKILLSPAM.schipper@math.uu.nl wrote in


Thanks Joachim!  I appreciate the explanations and advice.

Kyle