| Author |
Message |
Kyle Stedman
Guest
|
 Posted:
Sun Dec 04, 2005 5:21 pm Post subject:
Question Regarding Firewall Settings on Linksys Gateway-Rout |
|
|
Hi,
Aside from turning the firewall feature on (Stateful Packet Inspection),
and enabling Block Anonymous Internet Requests, should I turn on Block
Fragmented IP Packets, and Filter Multicast?
What would be the upside and downside to turning those two features on?
Thanks, from a newbie.
Kyle |
|
| Back to top |
|
 |
Guest
|
| Posted:
Mon Dec 05, 2005 2:35 am Post subject:
Re: Question Regarding Firewall Settings on Linksys Gateway- |
|
|
Kyle Stedman <kyle_st@yahoo.com> wrote:
| Quote: | Hi,
Aside from turning the firewall feature on (Stateful Packet Inspection),
and enabling Block Anonymous Internet Requests, should I turn on Block
Fragmented IP Packets, and Filter Multicast?
What would be the upside and downside to turning those two features on?
Thanks, from a newbie.
Kyle
|
Disclaimer: I have no experience or knowledge with Linksys stuff in
general, and you didn't post the specific model, so you'll be given a
platform-agnostic answer.
Fragmented IP packets are sometimes (though not often) seen as part of
legitimate connections. I have, personally, encountered them as part of
IPsec connections (to be more precise - as part of an ISAKMP negotation
involving rather large certificates between OpenBSD or Linux/KAME and a
third host, respectively Linux/KAME and Windows XP; obviously, blocking
fragments will block the application. It is better, from a technical
networking point of view, to allow such legal traffic as fragmented IP,
and at times, not allowing it will break stuff in mysterious ways. OTOH,
I have only encountered breakage while doing advanced things (c.q.
IPsec).
The downside is that quite a few fragmented packets are just scans, and
that reassembling packets takes a bit of memory and processing power.
The gateway may do that itself, or leave it to the hosts beyond. In the
first case, there's a possibility of exhausting the memory (though a
properly designed appliance will drop fragments in preference of going
down); in the second case, there is some possibility for scanning.
Though only if the packets are sent there in the first case, and the
router does not properly implement access control for fragments.
All in all, this does not matter too much either way. My gut feeling
says to leave it enabled, as it's correct behaviour, but do what you
please - it's unlikely to matter.
There might, in some circumstances, be some small security benefit to
disabling it, though.
Multicast is the same category. There are some multicast applications on
the internet, usually involved to sharing lots of streaming content or
the like, but it does open one more protocol to the world. Since
multicast is not part of the protocols most people use daily, I'd
disable this.
Of course, if you use any applications that require multicast, enable
it... and it doesn't hurt much either way.
Joachim |
|
| Back to top |
|
|
Kyle Stedman
Guest
|
| Posted:
Mon Dec 05, 2005 5:50 am Post subject:
Re: Question Regarding Firewall Settings on Linksys Gateway- |
|
|
jKILLSPAM.schipper@math.uu.nl wrote in
news:43935322$0$33780$dbd41001@news.wanadoo.nl:
| Quote: | Kyle Stedman <kyle_st@yahoo.com> wrote:
Hi,
Aside from turning the firewall feature on (Stateful Packet
Inspection), and enabling Block Anonymous Internet Requests, should I
turn on Block Fragmented IP Packets, and Filter Multicast?
What would be the upside and downside to turning those two features
on?
Thanks, from a newbie.
Kyle
Disclaimer: I have no experience or knowledge with Linksys stuff in
general, and you didn't post the specific model, so you'll be given a
platform-agnostic answer.
Fragmented IP packets are sometimes (though not often) seen as part of
legitimate connections. I have, personally, encountered them as part
of IPsec connections (to be more precise - as part of an ISAKMP
negotation involving rather large certificates between OpenBSD or
Linux/KAME and a third host, respectively Linux/KAME and Windows XP;
obviously, blocking fragments will block the application. It is
better, from a technical networking point of view, to allow such legal
traffic as fragmented IP, and at times, not allowing it will break
stuff in mysterious ways. OTOH, I have only encountered breakage while
doing advanced things (c.q. IPsec).
The downside is that quite a few fragmented packets are just scans,
and that reassembling packets takes a bit of memory and processing
power. The gateway may do that itself, or leave it to the hosts
beyond. In the first case, there's a possibility of exhausting the
memory (though a properly designed appliance will drop fragments in
preference of going down); in the second case, there is some
possibility for scanning. Though only if the packets are sent there in
the first case, and the router does not properly implement access
control for fragments.
All in all, this does not matter too much either way. My gut feeling
says to leave it enabled, as it's correct behaviour, but do what you
please - it's unlikely to matter.
There might, in some circumstances, be some small security benefit to
disabling it, though.
Multicast is the same category. There are some multicast applications
on the internet, usually involved to sharing lots of streaming content
or the like, but it does open one more protocol to the world. Since
multicast is not part of the protocols most people use daily, I'd
disable this.
Of course, if you use any applications that require multicast, enable
it... and it doesn't hurt much either way.
Joachim
|
Thanks Joachim!
Kyle |
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in