| Author |
Message |
Kyle Stedman
Guest
|
 Posted:
Sat Nov 19, 2005 5:21 pm Post subject:
Should I block Fragmented IP Packets? |
|
|
I'm using a Linksys Wireless-G Cable Gateway. One of the firewall settings
is to block fragmented IP packets. Should I? Or will this cause connection
problems.
Also, should I filter multicast?
Thanks for any info...I'm new to this.
Kyle |
|
| Back to top |
|
 |
Guest
|
| Posted:
Sat Nov 19, 2005 5:21 pm Post subject:
Re: Should I block Fragmented IP Packets? |
|
|
Kyle Stedman <kyle_st@yahoo.com> wrote:
| Quote: | I'm using a Linksys Wireless-G Cable Gateway. One of the firewall settings
is to block fragmented IP packets. Should I? Or will this cause connection
problems.
Also, should I filter multicast?
Thanks for any info...I'm new to this.
Kyle
|
In both cases, 'it depends'. Disabling fragmented IP *usually* works,
because in most cases, the hosts will use PMTUD (Path Maximum Transfer
Unit Discovery) and adjust the size of the IP packets they are sending
accordingly.
*However*, many IPSec implementations do not, and IPSec is widely used
for VPNs.
I'd venture a guess that if you are not establishing IPSec connections
from behind the firewall, or doing other fancy networking stuff that's
so complicated you *will* know if you do it, you can safely disable
fragmented IP.
Filtering multicast depends on if you use it. I don't see much benefit
in disabling it, except perhaps as a small measure to make DoS slightly
less easy, but it isn't used too much either. You could disable it and
see if anything, in particular mbone-based stuff and some p2p apps,
breaks.
More important is to make sure to use proper security between all the
hosts and the firewall. WEP is pretty useless, and WPA makes it as good
as a regular ethernet switch with a dozen cables running out of your
house, under the front door. I've heard MAC poisoning and the like is
pretty dangerous; search the web, or the archives of a security list
like Full-Disclosure, for this.
Joachim |
|
| Back to top |
|
|
Kyle Stedman
Guest
|
| Posted:
Sat Nov 19, 2005 5:21 pm Post subject:
Re: Should I block Fragmented IP Packets? |
|
|
jKILLSPAM.schipper@math.uu.nl wrote in
news:437f45ea$0$33780$dbd41001@news.wanadoo.nl:
| Quote: | Kyle Stedman <kyle_st@yahoo.com> wrote:
I'm using a Linksys Wireless-G Cable Gateway. One of the firewall
settings is to block fragmented IP packets. Should I? Or will this
cause connection problems.
Also, should I filter multicast?
Thanks for any info...I'm new to this.
Kyle
In both cases, 'it depends'. Disabling fragmented IP *usually* works,
because in most cases, the hosts will use PMTUD (Path Maximum Transfer
Unit Discovery) and adjust the size of the IP packets they are sending
accordingly.
*However*, many IPSec implementations do not, and IPSec is widely used
for VPNs.
I'd venture a guess that if you are not establishing IPSec connections
from behind the firewall, or doing other fancy networking stuff that's
so complicated you *will* know if you do it, you can safely disable
fragmented IP.
Filtering multicast depends on if you use it. I don't see much benefit
in disabling it, except perhaps as a small measure to make DoS
slightly less easy, but it isn't used too much either. You could
disable it and see if anything, in particular mbone-based stuff and
some p2p apps, breaks.
More important is to make sure to use proper security between all the
hosts and the firewall. WEP is pretty useless, and WPA makes it as
good as a regular ethernet switch with a dozen cables running out of
your house, under the front door. I've heard MAC poisoning and the
like is pretty dangerous; search the web, or the archives of a
security list like Full-Disclosure, for this.
Joachim
|
Thanks Joachim! I appreciate the explanations and advice.
Kyle |
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in