Re: Should I block Fragmented IP Packets?

jKILLSPAM.schipper_at_math.uu.nl
Date: 11/19/05 

Date: 19 Nov 2005 15:34:02 GMT

Kyle Stedman <kyle_st@yahoo.com> wrote:
> I'm using a Linksys Wireless-G Cable Gateway. One of the firewall settings
> is to block fragmented IP packets. Should I? Or will this cause connection
> problems.
>
> Also, should I filter multicast?
>
> Thanks for any info...I'm new to this.
>
> Kyle

In both cases, 'it depends'. Disabling fragmented IP *usually* works,
because in most cases, the hosts will use PMTUD (Path Maximum Transfer
Unit Discovery) and adjust the size of the IP packets they are sending
accordingly.

*However*, many IPSec implementations do not, and IPSec is widely used
for VPNs.

I'd venture a guess that if you are not establishing IPSec connections
from behind the firewall, or doing other fancy networking stuff that's
so complicated you *will* know if you do it, you can safely disable
fragmented IP.

Filtering multicast depends on if you use it. I don't see much benefit
in disabling it, except perhaps as a small measure to make DoS slightly
less easy, but it isn't used too much either. You could disable it and
see if anything, in particular mbone-based stuff and some p2p apps,
breaks.

More important is to make sure to use proper security between all the
hosts and the firewall. WEP is pretty useless, and WPA makes it as good
as a regular ethernet switch with a dozen cables running out of your
house, under the front door. I've heard MAC poisoning and the like is
pretty dangerous; search the web, or the archives of a security list
like Full-Disclosure, for this.

                Joachim

Relevant Pages

  • Re: Avoiding or removing messenger
    ... solution as installing a firewall is. ... told that some antivirus scanners use Messenger Service to tell you about ... If you have such an AV program, disabling ... ignoring those packets. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: iptables and dhcp
    ... > the same physical network segment as the firewall and the remote DHCP ... You used INPUT and not FORWARD chain ... # This target allows packets to be marked in the mangle table ...
    (comp.os.linux.networking)
  • Re: Trouble accessing Outlook Web Access from behind firewall
    ... When starting the firewall I also set ... > rejected and dropped packets are logged, however I see nothing in my log ... > # Higher ports needed to accept incoming/outgoing calls ...
    (comp.security.firewalls)
  • Re: Visnetic and 8signs firewall LOOPHOLE Read....
    ... I said I am just reporting bug in your Firewall, ... From the Port Scan/Properties control screen: ... The firewall filtered 100% of the packets that were received. ... operating system (I'm talking Windows, ...
    (comp.security.firewalls)
  • Re: How to allow client to disable firewall on XP/sp2 machine
    ... secondary sessions across a wide range of ports. ... If the laptop is on the LAN with ISA, you be able to configure ... firewall exceptions both on the client but more preferably on the ISA server. ... completely disabling it, it'll be a fair amount of work to allow disabling ...
    (microsoft.public.windows.server.sbs)