sslug-teknik team mailing list archive

Thread
Date

Re: Sv: Sv: Sv: IP.masq suse 6.2

To: sslug-teknik@xxxxxxxx
From: henrik@xxxxxxxxxx (Henrik St�)
Date: 20 Jun 2000 00:00:01 +0200
Delivered-to: mailing list sslug-teknik@xxxxxxxx
Mailing-list: contact sslug-teknik-help@xxxxxxxx; run by ezmlm
Newsgroups: sslug.teknik
Organization: Linux Users Inc.

In <009901bfda13$06a56680$0400a8c0@intet> "rene" <k2os@xxxxxxxxxxxxxx> writes:

>>.... Du bør også sige
>> til Linux maskinen at den skal de-fragmentere pakker - ellers fejler
>> masquerading.  Altså:

>bare lige et sidespørgsmål..  Ehh hvorfor defrag'e ?.. jeg gør det
>ikke på min RH6.2-gateway, og det virker ganske udemærket--

Problemet er at nogle de oplysninger som firewall reglerne bruger til
at afgøre om pakken skal slippes igennem eller ej - f.eks.  port
nummer - ikke er inkluderet i alle fragmenter. Fra IPCHAINS-HOWTO:

  The problem with fragments is that some of the specifications listed
  above (in particular, source port, destinations port, ICMP type, ICMP
  code, or TCP SYN flag) require the kernel to peek at the start of the
  packet, which is only contained in the first fragment. 

  If your machine is the only connection to an external network, then
  you can tell the Linux kernel to reassemble all fragments which pass
  through it, by compiling the kernel with IP: always defragment set to
  `Y'.  This sidesteps the issue neatly.

I Linux 2.2 er det blot en run-time setting i stedet for en compile-
time setting.
-- 
Henrik Storner      | "Crackers thrive on code secrecy. Cockcroaches breed 
<henrik@xxxxxxxxxx> |  in the dark. It's time to let the sunlight in."
                    |  
                    |          Eric S. Raymond, re. the Frontpage backdoor

References

Sv: Sv: IP.masq suse 6.2
From: Alex K., 2000-06-19
Re: Sv: Sv: IP.masq suse 6.2
From: Henrik St�, 2000-06-19
Sv: Sv: Sv: IP.masq suse 6.2
From: rene, 2000-06-19