Login or Register to Ask a Question and Join Our Community


Solaris

ipfilter blocking ip fragments

Login to Discuss or Reply to this Discussion in Our Community

 
Thread Tools Search this Thread
Operating Systems Solaris ipfilter blocking ip fragments
# 1  
Old 12-17-2010
Well, you cannot filter fragments unless you keep state, assuming the header fragment survives and arrives first. I guess if you wanted to be nice, you would store fragments for a while or until they are validated by a header fragment, and hold header fragments for a while, but state and storage makes the firewall vulnerable.

Can you make the UDP apps use smaller packets?

I always thought they messed up in http, making it tcp based, at least until http1.1 persistent connections with compression. I thought it might be nice to add a UDP flavored brother. A small graphic file GET would be one packet out, one back, no extra for SYN or FIN or ACK. DNS makes great use of UDP, one socket for an app that, for every packet in, sends one packet out, no fork, threads, poll, select, listen, accept or such.
Login or Register to Ask a Question

Previous Thread | Next Thread

10 More Discussions You Might Find Interesting

1. Shell Programming and Scripting

Why the results of these two code fragments are not the same?

Code 1: #!/bin/sh for arg1 in "$@" do counter=0 for arg2 in "$@" do if && then counter=$((counter+1)) continue fi (8 Replies)
Discussion started by: johnprogrammer
8 Replies

2. Solaris

A little help with ipfilter on Omnios

I'm on OmniOS. I have set a linux zone(lx zone) wich use 10.2.0.0/24 network. The other network,connected to internet is 192.168.0.0/24 The network interface of 10.2.0.0/24 is bge1 The network interface of 192.168.0.0/24 is bge0 I know is more easy to use the same network but i prefer to... (1 Reply)
Discussion started by: Linusolaradm1
1 Replies

3. Programming

Which are blocking and non-blocking api's in sockets in C ?

among the below socket programming api's, please let me know which are blocking and non-blocking. socket accept bind listen write read close (2 Replies)
Discussion started by: VSSajjan
2 Replies

4. Shell Programming and Scripting

Extract fragments from file

I have a .xml file that looks something like this : <measInfo> ......... string1 ......... </measInfo> <measInfo> ...... string2 ........ </measInfo> I want to extract only the 'chunk of file' from '<measInfo>' to '</measInfo>' containing string1 (or a certain string that I... (13 Replies)
Discussion started by: black_fender
13 Replies

5. Solaris

Ipfilter question

Howdy My goal is to block locally the applications on a Solaris 10 server to access specific port on a remote machine. All attempts to access the <remote ip>:<remote port> should be rejected with ICMP port unreachable or with TCP RST. I tried with the following: block... (2 Replies)
Discussion started by: ralome
2 Replies

6. Solaris

NAT IPFilter

Hi everybody, I'm running on Solaris 10 X86 (update 1009). I would like to make NAT's rule. I explain you. On Solaris, I configure the principal interface e1000g0 with IP : 192.168.0.33 I created the first logical interface like that : ifconfig e1000g0 addif 192.168.0.40 netmask... (0 Replies)
Discussion started by: aureliensm
0 Replies

7. Cybersecurity

questions about ipfilter

Dears, i am a new user for using ipfilter in solaris 10 and i have some question about this: by using ipfilter for example 1- i want specific MAC address able to access hotmail only 2- also i want to make 10MB for this MAC address is a max download per day 3- i am asking about using MAC... (0 Replies)
Discussion started by: coxmanchester
0 Replies

8. Solaris

ipfilter solaris express

Hello, | am trying to setup ipfilter on solaris express snv_91 but I don't seem to have the following file available. /etc/ipf/pfil.ap Is this an older way of configuring the interface?, I have all the packages installed. Thanks, (1 Reply)
Discussion started by: Actuator
1 Replies

9. HP-UX

ipfilter hpux11.11

how can I create a rule that will allow my machine to FTP to itself, but not allow other machines to FTP to it.. I know this sounds weird but this how they want it so they can test some application functionality that uses ftp. (2 Replies)
Discussion started by: csaunders
2 Replies

10. UNIX for Advanced & Expert Users

fragments in Solaris 8

When discussing inodes and data blocks, I know Solaris creates these data blocks with a total size of 8192b, divided into eight 1024b "fragments." It stores data in "contiguous" fragments and solaris doesn't allow a file to use portions of two different fragments. If the file size permits, then the... (4 Replies)
Discussion started by: manderson19
4 Replies
Login or Register to Ask a Question

LEARN ABOUT SUNOS

netscript-compile

NET-COMPILE(8)						      System Manager's Manual						    NET-COMPILE(8)

NAME

       netscript-compile - netscript ipfilter-defs compile back end.

SYNOPSIS

       netcript-compile [ -fhq ] [ -b max-backup-level ]

DESCRIPTION

       This manual page documents briefly the netscript-compile command from the netscript router/firewall network configuration package.

       This  command is the back end to the netscript compile command documented in netscript(8) manpage.  See ipfilter-defs(5) for the details on
       the definitions files in /etc/netscript/ipfilter-defs.

       By default it checks to see if the relevant files in the /etc/netscript/ipfilter-defs directory have been updated by comparing their  modi-
       fication  times to that of /etc/netscript/ipfilter-defs.conf, and if updating is needed, it recompiles and re-creates the file.	Up to max-
       backup-levels of history are kept of previously compiled /etc/netscript/ipfilter-defs.conf files, with a  numeric  extention  in  order	of
       increasing age.

OPTIONS

       -b max-backup-level
	      Sets  the  maximum  level  of  backups  kept  of	previously  compiled files.  This defaults to 2 (see /etc/netscript/netscript-com-
	      pile.conf), and it is also used by the netscript(8) compile command.

       -f     Force compile even though compile file is up to date with definitions.  The testing depends on the modification times of the defini-
	      tion file inodes in the file system.

       -h
	      Show a summary of options.

       -q     Quiet compile.  This option suppresses informational progress messages.

FILES

       /etc/netscript/ipfilter-defs.conf,
       /etc/netscript/ipfilter-defs-compiled.conf,
       /etc/netscript/ipfilter-defs directory.

SEE ALSO

       ipfilter-defs(5), netscript(8).

AUTHOR

       This manual page was written by Matthew Grant <grantma@anathoth.gen.nz>, for the Debian GNU/Linux system (but may be used by others).

BUGS

       I wrote this manpage when I was not half asleep...

								  March 25, 2003						    NET-COMPILE(8)