Hi All, I put a rule to drop fragments on the FORWARD chain. The rule shows up OK in the iptables -L -v output but does not match any fragmented packets. When I log the packets on FORWARD chain they seem to be reassembled.
My rule is simple looks like: Iptables -I FORWARD -f -j DROP Iptables - A FORWARD -j LOG -log-prefix YOGITEST >From An email thread on this list in January 2001 connection tracking does reassembly?? Is there a way to tell connection tracking not to reassemble? OR is it a bug that iptables '-f' flag does not match fragmented packets? Kernel: 2.4.17 Iptables 1.2.1a Thanks all! -Yogini
