Should I block Fragmented IP Packets?

Have a question or want to start a discussion? Post it! No Registration Necessary.  Now with pictures!

Threaded View
I'm using a Linksys Wireless-G Cable Gateway. One of the firewall settings
is to block fragmented IP packets. Should I? Or will this cause connection
problems.

Also, should I filter multicast?

Thanks for any info...I'm new to this.

Kyle

Re: Should I block Fragmented IP Packets?
Quoted text here. Click to load it

In both cases, 'it depends'. Disabling fragmented IP *usually* works,
because in most cases, the hosts will use PMTUD (Path Maximum Transfer
Unit Discovery) and adjust the size of the IP packets they are sending
accordingly.

*However*, many IPSec implementations do not, and IPSec is widely used
for VPNs.

I'd venture a guess that if you are not establishing IPSec connections
from behind the firewall, or doing other fancy networking stuff that's
so complicated you *will* know if you do it, you can safely disable
fragmented IP.

Filtering multicast depends on if you use it. I don't see much benefit
in disabling it, except perhaps as a small measure to make DoS slightly
less easy, but it isn't used too much either. You could disable it and
see if anything, in particular mbone-based stuff and some p2p apps,
breaks.

More important is to make sure to use proper security between all the
hosts and the firewall. WEP is pretty useless, and WPA makes it as good
as a regular ethernet switch with a dozen cables running out of your
house, under the front door. I've heard MAC poisoning and the like is
pretty dangerous; search the web, or the archives of a security list
like Full-Disclosure, for this.

        Joachim

Re: Should I block Fragmented IP Packets?
jKILLSPAM.schipper@math.uu.nl wrote in

Quoted text here. Click to load it

Thanks Joachim!  I appreciate the explanations and advice.

Kyle


Site Timeline