Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: ipfilter blocking ip fragments
Operating Systems Solaris ipfilter blocking ip fragments Post 302479956 by DGPickett on Monday 13th of December 2010 11:40:25 AM
Old 12-13-2010
Well, as I recall, IP fragments have no tcp or udp header, just the 20 byte ip header that says it is a UDP or TCP fragment, so no port number to filter on. Maybe you uncovered a bug. Your packet sizes bear this out.

IP Fragmentation is not a very robust way to deal with big data, and many apps manage the packet size within the MTU to avoid it. This may be why such a defect was not previously found. Either that, or some timer on how long to wait for reassembly in the filtering process is set too low. Unlike tcp segmentation, a lost packet cost you 100% of the application block, not on average 50% max., and you still have the 65K limit waiting for you if you do not have an app level fragmenter that integrates with smart retransmission.
This User Gave Thanks to DGPickett For This Post:
ilikecows
 

10 More Discussions You Might Find Interesting

1. UNIX for Advanced & Expert Users

fragments in Solaris 8

When discussing inodes and data blocks, I know Solaris creates these data blocks with a total size of 8192b, divided into eight 1024b "fragments." It stores data in "contiguous" fragments and solaris doesn't allow a file to use portions of two different fragments. If the file size permits, then the... (4 Replies)
Discussion started by: manderson19
4 Replies

2. HP-UX

ipfilter hpux11.11

how can I create a rule that will allow my machine to FTP to itself, but not allow other machines to FTP to it.. I know this sounds weird but this how they want it so they can test some application functionality that uses ftp. (2 Replies)
Discussion started by: csaunders
2 Replies

3. Solaris

ipfilter solaris express

Hello, | am trying to setup ipfilter on solaris express snv_91 but I don't seem to have the following file available. /etc/ipf/pfil.ap Is this an older way of configuring the interface?, I have all the packages installed. Thanks, (1 Reply)
Discussion started by: Actuator
1 Replies

4. Cybersecurity

questions about ipfilter

Dears, i am a new user for using ipfilter in solaris 10 and i have some question about this: by using ipfilter for example 1- i want specific MAC address able to access hotmail only 2- also i want to make 10MB for this MAC address is a max download per day 3- i am asking about using MAC... (0 Replies)
Discussion started by: coxmanchester
0 Replies

5. Solaris

NAT IPFilter

Hi everybody, I'm running on Solaris 10 X86 (update 1009). I would like to make NAT's rule. I explain you. On Solaris, I configure the principal interface e1000g0 with IP : 192.168.0.33 I created the first logical interface like that : ifconfig e1000g0 addif 192.168.0.40 netmask... (0 Replies)
Discussion started by: aureliensm
0 Replies

6. Solaris

Ipfilter question

Howdy My goal is to block locally the applications on a Solaris 10 server to access specific port on a remote machine. All attempts to access the <remote ip>:<remote port> should be rejected with ICMP port unreachable or with TCP RST. I tried with the following: block... (2 Replies)
Discussion started by: ralome
2 Replies

7. Shell Programming and Scripting

Extract fragments from file

I have a .xml file that looks something like this : <measInfo> ......... string1 ......... </measInfo> <measInfo> ...... string2 ........ </measInfo> I want to extract only the 'chunk of file' from '<measInfo>' to '</measInfo>' containing string1 (or a certain string that I... (13 Replies)
Discussion started by: black_fender
13 Replies

8. Programming

Which are blocking and non-blocking api's in sockets in C ?

among the below socket programming api's, please let me know which are blocking and non-blocking. socket accept bind listen write read close (2 Replies)
Discussion started by: VSSajjan
2 Replies

9. Solaris

A little help with ipfilter on Omnios

I'm on OmniOS. I have set a linux zone(lx zone) wich use 10.2.0.0/24 network. The other network,connected to internet is 192.168.0.0/24 The network interface of 10.2.0.0/24 is bge1 The network interface of 192.168.0.0/24 is bge0 I know is more easy to use the same network but i prefer to... (1 Reply)
Discussion started by: Linusolaradm1
1 Replies

10. Shell Programming and Scripting

Why the results of these two code fragments are not the same?

Code 1: #!/bin/sh for arg1 in "$@" do counter=0 for arg2 in "$@" do if && then counter=$((counter+1)) continue fi (8 Replies)
Discussion started by: johnprogrammer
8 Replies

LEARN ABOUT OSX

tc-csum

Checksum action in tc(8)					       Linux						  Checksum action in tc(8)

NAME

       csum - checksum update action

SYNOPSIS

       tc ... action csum UPDATE

       UPDATE := TARGET [ UPDATE ]

       TARGET := { ip4h | icmp | igmp | tcp | udp | udplite | sctp | SWEETS }

       SWEETS := { and | or | + }

DESCRIPTION

       The csum action triggers checksum recalculation of specified packet headers. It is commonly used to fix incorrect checksums after the pedit
       action has modified the packet content.

OPTIONS

       TARGET Specify which headers to update: IPv4 header (ip4h), ICMP header (icmp), IGMP header (igmp), TCP header  (tcp),  UDP  header  (udp),
	      UDPLite header (udplite) or SCTP header (sctp).

       SWEETS These are merely syntactic sugar and ignored internally.

EXAMPLES

       The following performs stateless NAT for incoming packets from 192.0.2.100 to new destination 198.51.100.1. Assuming these are UDP packets,
       both IP and UDP checksums have to be recalculated:

	      # tc qdisc add dev eth0 ingress handle ffff:
	      # tc filter add dev eth0 prio 1 protocol ip parent ffff: 
		   u32 match ip src 192.0.2.100/32 flowid :1 
		   action pedit munge ip dst set 198.51.100.1 pipe 
		   csum ip and udp

SEE ALSO

       tc(8), tc-pedit(8)

iproute2							    11 Jan 2015 					  Checksum action in tc(8)
All times are GMT -4. The time now is 01:07 PM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy