Manualshelf

User manual

ManualsBrandsAlvarion ManualsNetworkingBreezeNET B300 GigE
191192193194195196197198199200
Chapter 4 - Layer 3 Command Set - IP Networking Ipfw Command (IP Firewall)
Alvarion BreezeNET B130/B300 GigE 186 Operational User Manual
A filter verifying TCP or UDP port numbers never checks IP fragments except
the first one in a sequence.
If your filter accepts incoming IP fragments, a malefactor may use a "denial of
service" attack, by flooding you with fragments having different source
addresses, thus causing memory overflow on your device.
Therefore, to be protected from a possible "denial of service" attack, the only
solution would be to prohibit reception of any fragmented packets:
ipfw add reject all ip_fragment from 0/0 to 0/0
This measure certainly strengthens your security; don't forget, however, that a
malefactor still may use other methods of aggression, e.g. by simply pelting you
with any packets or with useless e-mail messages.
Moreover, rejecting all incoming fragmented packets may hamper your normal
work. Consider the following example. The maximum possible IP packet length is
usually circa 1500 bytes; but it may be less or more on different network
segments. Even those packets which have not been sent fragmented by their
source, may have become fragmented somewhere on their way to destination,
because they have encountered a network segment with more severe packet
length limitation. Even the newest protocols for defining the maximum possible IP
packet length along any given route are not always bringing guaranteed result,
because IP packets from the same source are progressing independently through
the network, and may take different routes. Therefore, fully prohibiting reception
of fragmented packets may hinder (temporarily or permanently) normal operation
of some applications communicating with some hosts.
If you decide to authorize incoming fragmented packets, then one of the first
filters to apply could be
ipfw add accept all ip_tail_fragment from 0/0 to 0/0
The above filter accepts all incoming fragments except the first fragments (of their
respective packets). Such an authorization is not harmful for your security (with
the exception of a "denial of service" attack), because the first fragment of a
packet, bearing the main information about the whole packet, will be already
verified by some of the preceding filters. If the first fragment has been rejected by
a filter, then all the remaining fragments, when received by the destination host in
the absence of the first one, will be rejected there after some delay (normally fixed
at 60 sec.).
Logging of packets