Hi Patrick, Thanks for your help! I just want to say "drop all fragments" or filter fragments. How do I do that?
What does the -f flag in iptables match if all fragments are assembled? Jacek suggests that I use "iptables -t prestate -f -j NOTRACK" but my iptables syntax check throws me out with an error. Any idea why? Thanks again, -Yogini -----Original Message----- From: Patrick Schaaf [mailto:[EMAIL PROTECTED]] Sent: Monday, March 11, 2002 11:34 PM To: Yogini Parkhi Cc: Netfilter (E-mail) Subject: Re: HELP! iptables -f flag does not drop fragments... Hi, > I put a rule to drop fragments on the FORWARD chain. The rule shows up OK in > the iptables -L -v output but does not match any fragmented packets. When I > log the packets on FORWARD chain they seem to be reassembled. Yes. > >From An email thread on this list in January 2001 connection tracking does > reassembly?? Yes. > Is there a way to tell connection tracking not to reassemble? No, not until somebody goes to the considerable length to implement that. Any code checking whole-packet content, like the conntracking (and especially the conntracking helpers), must be written in a much more complex way (read more bugs, worse maintainance) if it must directly handle fragments. In fact, each piece of such checking code then must implement most rules of defragmentation, while still not fragmenting the packets. Can you explain a bit what is your usage scenario, how does it require fragments to be moved through the box unassembled? best regards Patrick
