Re: block CodeRed/Nimda at the firewall?

From: D. Stussy (kd6lvw_at_bde-arc.ampr.org)
Date: 05/17/03


Date: Sat, 17 May 2003 01:45:21 GMT

On Fri, 16 May 2003, RainbowHat wrote:
> < D. Stussy
>
> >1) UDP packets cannot be fragmented. Only TCP packets can.
> ~~~ ~~~ ~~~~
> Wrong. All IP packets can be fragmented.

Not at the protocol level. IP is one level removed from that.

> >2) Some TCP implementations may try fragmented packets before falling back to
> ~~~~ ~~~
> Most IP
> >unfragmented ones. Furthermore, it's always possible that a packet may come
> >over some link that has a different (smaller) MTU than the other links in that
> >transmission and thus be fragmented. It's possible that your machine is left
> >to do the reintegration....
>
> "Fragmentation" is a concept of IP layer. TCP|UDP are another layer.
> TCP have a concept of "Segmentation". TCP negotiate MSS (Maximum
> Segment Size) at 3-way handshake. (Or use default smallest MSS if no
> TCP MSS option.) UDP don't have this mechanism. UDP and ICMP large
> echo/reply will be IP fragment. Some few cases that TCP will be IP
> fragment as you described.
>
> BTW there are PMTUD (Path MTU Discovery) capability.

Then explain why the "-f" flag is valid in the firewall rules for IPTABLES only
for TCP entries.....