On Thu, May 30, 2002 at 12:16:22PM +0200, Jozsef Kadlecsik wrote: > On 30 May 2002, Andras Kis-Szabo wrote: > > > > don't forget that ICMP error messages only quote the first 64 bytes of the > > > original packet. Adding up IP and TCP headers (both 20 bytes without > > > options), you only have 24 bytes of original payload. This might be somewhat > > > more in UDP though due to its shorter header. > > > > > > A full length PORT command is 28 bytes, though a common scenario fits into > > > 24 bytes. > > > > > > I see two solutions: > > > * truncate the packet, and remove the payload area of deNATed ICMP messages, > > > if the inner header is either TCP or UDP (because in this case we _KNOW_ > > > what is header and what is payload) > > > * don't use packet filtering if separating the two zones is so important > > > > > > The first one could also be implemented using an ICMPTRIM target in your > > > mangle table, which could also trim ICMP echo request/reply payloads. (which > > > can easily be used to tunnel a whole IP stack through a firewall) > > > > Ok, I didn't know the IPv4-ICMP RFC. I just sent a special packet with > > TCP payload and I got back the payload. It was only a first check. > > (In IPv6-ICMP the length-limit is ~1298 bytes, ...) > > Sidenote: ICMPTRIP could not be used to trim ICMP echo requests/replies: > > "The data received in the echo message must be returned in the echo > reply message."
Ok, that's true. Those packets are to be dropped then. -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
