12-13-2010
Well, as I recall, IP fragments have no tcp or udp header, just the 20 byte ip header that says it is a UDP or TCP fragment, so no port number to filter on. Maybe you uncovered a bug. Your packet sizes bear this out.
IP Fragmentation is not a very robust way to deal with big data, and many apps manage the packet size within the MTU to avoid it. This may be why such a defect was not previously found. Either that, or some timer on how long to wait for reassembly in the filtering process is set too low. Unlike tcp segmentation, a lost packet cost you 100% of the application block, not on average 50% max., and you still have the 65K limit waiting for you if you do not have an app level fragmenter that integrates with smart retransmission.
This User Gave Thanks to DGPickett For This Post:
10 More Discussions You Might Find Interesting
1. UNIX for Advanced & Expert Users
When discussing inodes and data blocks, I know Solaris creates these data blocks with a total size of 8192b, divided into eight 1024b "fragments." It stores data in "contiguous" fragments and solaris doesn't allow a file to use portions of two different fragments. If the file size permits, then the... (4 Replies)
Discussion started by: manderson19
4 Replies
2. HP-UX
how can I create a rule that will allow my machine to FTP to itself, but not allow other machines to FTP to it.. I know this sounds weird but this how they want it so they can test some application functionality that uses ftp. (2 Replies)
Discussion started by: csaunders
2 Replies
3. Solaris
Hello,
| am trying to setup ipfilter on solaris express snv_91 but I don't seem to have the following file available.
/etc/ipf/pfil.ap
Is this an older way of configuring the interface?, I have all the packages installed.
Thanks, (1 Reply)
Discussion started by: Actuator
1 Replies
4. Cybersecurity
Dears,
i am a new user for using ipfilter in solaris 10
and i have some question about this:
by using ipfilter
for example
1- i want specific MAC address able to access hotmail only
2- also i want to make 10MB for this MAC address is a max download per day
3- i am asking about using MAC... (0 Replies)
Discussion started by: coxmanchester
0 Replies
5. Solaris
Hi everybody,
I'm running on Solaris 10 X86 (update 1009).
I would like to make NAT's rule. I explain you.
On Solaris, I configure the principal interface e1000g0 with IP : 192.168.0.33
I created the first logical interface like that :
ifconfig e1000g0 addif 192.168.0.40 netmask... (0 Replies)
Discussion started by: aureliensm
0 Replies
6. Solaris
Howdy
My goal is to block locally the applications on a Solaris 10 server to access specific port on a remote machine. All attempts to access the <remote ip>:<remote port> should be rejected with ICMP port unreachable or with TCP RST.
I tried with the following:
block... (2 Replies)
Discussion started by: ralome
2 Replies
7. Shell Programming and Scripting
I have a .xml file that looks something like this :
<measInfo>
.........
string1
.........
</measInfo>
<measInfo>
......
string2
........
</measInfo>
I want to extract only the 'chunk of file' from '<measInfo>' to '</measInfo>' containing string1 (or a certain string that I... (13 Replies)
Discussion started by: black_fender
13 Replies
8. Programming
among the below socket programming api's, please let me know which are blocking and non-blocking.
socket
accept
bind
listen
write
read
close (2 Replies)
Discussion started by: VSSajjan
2 Replies
9. Solaris
I'm on OmniOS.
I have set a linux zone(lx zone) wich use 10.2.0.0/24 network.
The other network,connected to internet is 192.168.0.0/24
The network interface of 10.2.0.0/24 is bge1
The network interface of 192.168.0.0/24 is bge0
I know is more easy to use the same network but i prefer to... (1 Reply)
Discussion started by: Linusolaradm1
1 Replies
10. Shell Programming and Scripting
Code 1:
#!/bin/sh
for arg1 in "$@"
do
counter=0
for arg2 in "$@"
do
if &&
then
counter=$((counter+1))
continue
fi (8 Replies)
Discussion started by: johnprogrammer
8 Replies
Checksum action in tc(8) Linux Checksum action in tc(8)
NAME
csum - checksum update action
SYNOPSIS
tc ... action csum UPDATE
UPDATE := TARGET [ UPDATE ]
TARGET := { ip4h | icmp | igmp | tcp | udp | udplite | sctp | SWEETS }
SWEETS := { and | or | + }
DESCRIPTION
The csum action triggers checksum recalculation of specified packet headers. It is commonly used to fix incorrect checksums after the pedit
action has modified the packet content.
OPTIONS
TARGET Specify which headers to update: IPv4 header (ip4h), ICMP header (icmp), IGMP header (igmp), TCP header (tcp), UDP header (udp),
UDPLite header (udplite) or SCTP header (sctp).
SWEETS These are merely syntactic sugar and ignored internally.
EXAMPLES
The following performs stateless NAT for incoming packets from 192.0.2.100 to new destination 198.51.100.1. Assuming these are UDP packets,
both IP and UDP checksums have to be recalculated:
# tc qdisc add dev eth0 ingress handle ffff:
# tc filter add dev eth0 prio 1 protocol ip parent ffff:
u32 match ip src 192.0.2.100/32 flowid :1
action pedit munge ip dst set 198.51.100.1 pipe
csum ip and udp
SEE ALSO
tc(8), tc-pedit(8)
iproute2 11 Jan 2015 Checksum action in tc(8)