Re: Clever firewall rules
From: Chris Ricker (kaboom@gatech.edu)Date: 09/17/01
- Previous message: Michael H. Warfield: "Re: What sort of attack is this?"
- In reply to: Ross Vandegrift: "Re: Clever firewall rules"
- Next in thread: Ken Weaverling: "Re: Clever firewall rules"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 16 Sep 2001 22:57:09 -0600 (MDT) From: Chris Ricker <kaboom@gatech.edu> To: <focus-linux@securityfocus.com> Subject: Re: Clever firewall rules Message-ID: <Pine.LNX.4.33.0109162252170.1528-100000@verdande.oobleck.net>
On Sun, 16 Sep 2001, Ross Vandegrift wrote:
> Modern kernels don't use this - they allow you set thresholds with
> regard to IP defragmentation. Chec /proc/sys/net/ipv4/ipfrag*.
>
> Unfortunately, a search of the internet for correct setings yeilded
> little information - that was a few months ago. I do, for some reason,
> think that the defaults are reasonable though... I would like
> someone with better understanding to substantiate or refute. And an
> explanation wouldn't be bad either ::-)
Check Documentation/networking/ip-sysctl.txt in the kernel src tree. The
explanations there seem fairly straight-forward:
IP Fragmentation:
ipfrag_high_thresh - INTEGER
Maximum memory used to reassemble IP fragments. When
ipfrag_high_thresh bytes of memory is allocated for this purpose,
the fragment handler will toss packets until ipfrag_low_thresh
is reached.
ipfrag_low_thresh - INTEGER
See ipfrag_high_thresh
ipfrag_time - INTEGER
Time in seconds to keep an IP fragment in memory.
later,
chris
- Previous message: Michael H. Warfield: "Re: What sort of attack is this?"
- In reply to: Ross Vandegrift: "Re: Clever firewall rules"
- Next in thread: Ken Weaverling: "Re: Clever firewall rules"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
