Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: ipfilter blocking ip fragments
Operating Systems Solaris ipfilter blocking ip fragments Post 302481462 by DGPickett on Friday 17th of December 2010 03:10:20 PM
Old 12-17-2010
Well, you cannot filter fragments unless you keep state, assuming the header fragment survives and arrives first. I guess if you wanted to be nice, you would store fragments for a while or until they are validated by a header fragment, and hold header fragments for a while, but state and storage makes the firewall vulnerable.

Can you make the UDP apps use smaller packets?

I always thought they messed up in http, making it tcp based, at least until http1.1 persistent connections with compression. I thought it might be nice to add a UDP flavored brother. A small graphic file GET would be one packet out, one back, no extra for SYN or FIN or ACK. DNS makes great use of UDP, one socket for an app that, for every packet in, sends one packet out, no fork, threads, poll, select, listen, accept or such.
 

10 More Discussions You Might Find Interesting

1. UNIX for Advanced & Expert Users

fragments in Solaris 8

When discussing inodes and data blocks, I know Solaris creates these data blocks with a total size of 8192b, divided into eight 1024b "fragments." It stores data in "contiguous" fragments and solaris doesn't allow a file to use portions of two different fragments. If the file size permits, then the... (4 Replies)
Discussion started by: manderson19
4 Replies

2. HP-UX

ipfilter hpux11.11

how can I create a rule that will allow my machine to FTP to itself, but not allow other machines to FTP to it.. I know this sounds weird but this how they want it so they can test some application functionality that uses ftp. (2 Replies)
Discussion started by: csaunders
2 Replies

3. Solaris

ipfilter solaris express

Hello, | am trying to setup ipfilter on solaris express snv_91 but I don't seem to have the following file available. /etc/ipf/pfil.ap Is this an older way of configuring the interface?, I have all the packages installed. Thanks, (1 Reply)
Discussion started by: Actuator
1 Replies

4. Cybersecurity

questions about ipfilter

Dears, i am a new user for using ipfilter in solaris 10 and i have some question about this: by using ipfilter for example 1- i want specific MAC address able to access hotmail only 2- also i want to make 10MB for this MAC address is a max download per day 3- i am asking about using MAC... (0 Replies)
Discussion started by: coxmanchester
0 Replies

5. Solaris

NAT IPFilter

Hi everybody, I'm running on Solaris 10 X86 (update 1009). I would like to make NAT's rule. I explain you. On Solaris, I configure the principal interface e1000g0 with IP : 192.168.0.33 I created the first logical interface like that : ifconfig e1000g0 addif 192.168.0.40 netmask... (0 Replies)
Discussion started by: aureliensm
0 Replies

6. Solaris

Ipfilter question

Howdy My goal is to block locally the applications on a Solaris 10 server to access specific port on a remote machine. All attempts to access the <remote ip>:<remote port> should be rejected with ICMP port unreachable or with TCP RST. I tried with the following: block... (2 Replies)
Discussion started by: ralome
2 Replies

7. Shell Programming and Scripting

Extract fragments from file

I have a .xml file that looks something like this : <measInfo> ......... string1 ......... </measInfo> <measInfo> ...... string2 ........ </measInfo> I want to extract only the 'chunk of file' from '<measInfo>' to '</measInfo>' containing string1 (or a certain string that I... (13 Replies)
Discussion started by: black_fender
13 Replies

8. Programming

Which are blocking and non-blocking api's in sockets in C ?

among the below socket programming api's, please let me know which are blocking and non-blocking. socket accept bind listen write read close (2 Replies)
Discussion started by: VSSajjan
2 Replies

9. Solaris

A little help with ipfilter on Omnios

I'm on OmniOS. I have set a linux zone(lx zone) wich use 10.2.0.0/24 network. The other network,connected to internet is 192.168.0.0/24 The network interface of 10.2.0.0/24 is bge1 The network interface of 192.168.0.0/24 is bge0 I know is more easy to use the same network but i prefer to... (1 Reply)
Discussion started by: Linusolaradm1
1 Replies

10. Shell Programming and Scripting

Why the results of these two code fragments are not the same?

Code 1: #!/bin/sh for arg1 in "$@" do counter=0 for arg2 in "$@" do if && then counter=$((counter+1)) continue fi (8 Replies)
Discussion started by: johnprogrammer
8 Replies

LEARN ABOUT FREEBSD

blackhole

BLACKHOLE(4)						   BSD Kernel Interfaces Manual 					      BLACKHOLE(4)

NAME

     blackhole -- a sysctl(8) MIB for manipulating behaviour in respect of refused TCP or UDP connection attempts

SYNOPSIS

     sysctl net.inet.tcp.blackhole[=[0 | 1 | 2]]
     sysctl net.inet.udp.blackhole[=[0 | 1]]

DESCRIPTION

     The blackhole sysctl(8) MIB is used to control system behaviour when connection requests are received on TCP or UDP ports where there is no
     socket listening.

     Normal behaviour, when a TCP SYN segment is received on a port where there is no socket accepting connections, is for the system to return a
     RST segment, and drop the connection.  The connecting system will see this as a ``Connection refused''.  By setting the TCP blackhole MIB to
     a numeric value of one, the incoming SYN segment is merely dropped, and no RST is sent, making the system appear as a blackhole.  By setting
     the MIB value to two, any segment arriving on a closed port is dropped without returning a RST.  This provides some degree of protection
     against stealth port scans.

     In the UDP instance, enabling blackhole behaviour turns off the sending of an ICMP port unreachable message in response to a UDP datagram
     which arrives on a port where there is no socket listening.  It must be noted that this behaviour will prevent remote systems from running
     traceroute(8) to a system.

     The blackhole behaviour is useful to slow down anyone who is port scanning a system, attempting to detect vulnerable services on a system.
     It could potentially also slow down someone who is attempting a denial of service attack.

WARNING

     The TCP and UDP blackhole features should not be regarded as a replacement for firewall solutions.  Better security would consist of the
     blackhole sysctl(8) MIB used in conjunction with one of the available firewall packages.

     This mechanism is not a substitute for securing a system.	It should be used together with other security mechanisms.

SEE ALSO

     ip(4), tcp(4), udp(4), ipf(8), ipfw(8), pfctl(8), sysctl(8)

HISTORY

     The TCP and UDP blackhole MIBs first appeared in FreeBSD 4.0.

AUTHORS

     Geoffrey M. Rehmet

BSD
								  January 1, 2007							       BSD
All times are GMT -4. The time now is 01:40 PM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy