Should I block Fragmented IP Packets?

I'm using a Linksys Wireless-G Cable Gateway. One of the firewall settings is to block fragmented IP packets. Should I? Or will this cause connection problems.

Also, should I filter multicast?

Thanks for any info...I'm new to this.


Reply to
Kyle Stedman
Loading thread data ...

In both cases, 'it depends'. Disabling fragmented IP *usually* works, because in most cases, the hosts will use PMTUD (Path Maximum Transfer Unit Discovery) and adjust the size of the IP packets they are sending accordingly.

*However*, many IPSec implementations do not, and IPSec is widely used for VPNs.

I'd venture a guess that if you are not establishing IPSec connections from behind the firewall, or doing other fancy networking stuff that's so complicated you *will* know if you do it, you can safely disable fragmented IP.

Filtering multicast depends on if you use it. I don't see much benefit in disabling it, except perhaps as a small measure to make DoS slightly less easy, but it isn't used too much either. You could disable it and see if anything, in particular mbone-based stuff and some p2p apps, breaks.

More important is to make sure to use proper security between all the hosts and the firewall. WEP is pretty useless, and WPA makes it as good as a regular ethernet switch with a dozen cables running out of your house, under the front door. I've heard MAC poisoning and the like is pretty dangerous; search the web, or the archives of a security list like Full-Disclosure, for this.


Reply to
jKILLSPAM.schipper wrote in news:437f45ea$0$33780$

Thanks Joachim! I appreciate the explanations and advice.


Reply to
Kyle Stedman Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.