Re: block CodeRed/Nimda at the firewall?

From: D. Stussy (kd6lvw_at_bde-arc.ampr.org)
Date: 05/17/03


Date: Sat, 17 May 2003 01:45:21 GMT

On Fri, 16 May 2003, RainbowHat wrote:
> < D. Stussy
>
> >1) UDP packets cannot be fragmented. Only TCP packets can.
> ~~~ ~~~ ~~~~
> Wrong. All IP packets can be fragmented.

Not at the protocol level. IP is one level removed from that.

> >2) Some TCP implementations may try fragmented packets before falling back to
> ~~~~ ~~~
> Most IP
> >unfragmented ones. Furthermore, it's always possible that a packet may come
> >over some link that has a different (smaller) MTU than the other links in that
> >transmission and thus be fragmented. It's possible that your machine is left
> >to do the reintegration....
>
> "Fragmentation" is a concept of IP layer. TCP|UDP are another layer.
> TCP have a concept of "Segmentation". TCP negotiate MSS (Maximum
> Segment Size) at 3-way handshake. (Or use default smallest MSS if no
> TCP MSS option.) UDP don't have this mechanism. UDP and ICMP large
> echo/reply will be IP fragment. Some few cases that TCP will be IP
> fragment as you described.
>
> BTW there are PMTUD (Path MTU Discovery) capability.

Then explain why the "-f" flag is valid in the firewall rules for IPTABLES only
for TCP entries.....



Relevant Pages

  • Re: UPD better than TCP in streaming video/audio ?
    ... > UDP gains speed over TCP because it carries no information that would ... it doesn't even know that packets were lost. ... which is perfect for UDP. ... > Finally, there's the possibility of multicast data - for instance, a live ...
    (microsoft.public.win32.programmer.networks)
  • Re: NTP and Firewall help needed.
    ... >>port 123 for udp and tcp. ... The action here is applied for packets that fall off ... > - ACCEPT any and all traffic coming from the localhost interface ...
    (comp.os.linux.setup)
  • Re: Old SUN NFS performance papers.
    ... > also just generally a good idea, since UDP frags act as a fixed ... > you may be copying all your packets over again ), ... With TCP, you ... >> FreeBSD NFS servers, and therefore always looking for tweaks and nobs ...
    (freebsd-performance)
  • Re: NTP and Firewall help needed.
    ... >port 123 for udp and tcp. ... Also the idea of combining rules for packets arriving at the local machine ... ACCEPT any and all traffic coming from the localhost interface ...
    (comp.os.linux.setup)
  • Re: UDP vs TCP
    ... I understand that UDP doesn't guarantee proper delivery of the message, that's why we have to add the CRC to the message to check if the message received is correct. ... TCP for instance will break up a large packet into smaller ... > into the packets and then the receiving app would have to read ...
    (microsoft.public.vb.enterprise)