Hello SB CH, > After I commanded iptables like this at my system, > I can't see any dropped packet in this chain. > > $IPTABLES -A INPUT -f -j DROP > > So, I guess that this command is meaningless, right? > as I know, all fragmented packets are reassembled before thus chain.
This is only the case if you have ip_conntrack loaded. The command is not meaningless in the general case. > What do you think about this rule is needed or not? What is it designed to accomplish? Why would you want to indiscriminately drop fragments coming to your machine? Fragments are a normal part of IP operation. You are breaking all kinds of protocols with such a rule. Due to the defragmentation conntracking does, you won't notice this breakage, until the day when conntracking and NAT has been made aware of fragments (can happen any time). To repeat for emphasis: the defragmentation conntrack does now is NOT, as far as I know, a positive feature of conntrack, but a detail of the current implementation. It can change at any time. And then you'll see the breakage. best regards Patrick
