>barry, >fragment != misordered packet.
You're right. My bad. :( I didn't think it was, but I hadn't quite finished my first cup of coffee of the day when I'd sent that, and the following line out of the section of the HOWTO that I referenced had me momentarily confused: " ...which is when a packet comes in that's fragmented from its journey. IPF has provisions for this as well, the keep frags keyword. With it, IPF will notice and keep track of packets that are fragmented, allowing the expected fragments to to go through." I read "fragmented from its journey" to mean "separated from the packets it belongs with" instead of "broken into smaller bits" >fragments are a result of a size mismatch between the >IP layer and the underlying physical layer. if you ask >Fed-Ex to ship something that is bigger than a 747 >they must chop it into pieces that fit into a 747. at the >other end they get out the glue and put it back together >again. this is not one of the things that ipf does -- it >doesn't glue the fragments together -- nor do i think >that it should. but ipf does include the capability to >deal with the fragmented IP packets by passing them >when they are indeed part of a valid connection; that's >what the directive "keep frags" does for you.
