Hi, Frederic,
In the advanced options, there is an "Enable Management of fragmented IP packets".

From the help file:
'Enable the management of blocked packet' this option configures the packet filter to have fragmented packet allowed or blocked according to the rule that applied to the first packet. It means ruleset doesn't apply to fragmented packet. A fragmented packet is allowed if the first packet was allowed, and blocked otherwise.


(1) the names are inconsistent between LnS and the help file. Maybe the help file should be revised a little.
(2) If I set some rules to block fragmented packets, they will always be blocked with the first matching rule. So, what the purpose of this option (Enable the management of fragmented IP packets)?:wacko:

Thanks in advance.:thumb:

Hi nuser,

Yes, there is a typo in the help file. It should be:
• 'Enable the management of fragmented packet'...

The purpose of the option is to not apply the ruleset directly on fragmented packets. A fragmented packet (not the first one) should be allowed if the first packet has been allowed, and blocked if the first packet has been blocked.
Only the first packet contains the relevant information for filtering (TCP/UDP headers...), the other packets contains only the payload.

Frederic

Thanks a lot, Frederic,:thumb:
So, the purpose is to 'save filtering time'. When LnS filters a fragmented packet, it caches the characteristics of this fragmented packet in the memory. Next time, when LnS meets the same type, LnS blocks/allows it immediately without matching the ruleset.
Am I right?

The purpose is not to save filtering time.
The purpose is to filter accurately. As I explained, TCP/UDP headers (ports, flags) are valid only for the first packet of a list of fragmented packets. So the rule has to be applied only to the first packet.
When a rule checking for instance a TCP port is applied on a fragmented packet (not the first one), it tests something which is not a port, when this option is not enabled, and some strange logging appear in the log...

On the principle, yes it is something like that.

Frederic

thanks a lot, Frederic,
Now I understand LnS might work in this procedure:
If this option is ON, LnS will check IP ID, MF, Offset and test the first packet (offset=0). For other packets with the same ID, LnS just blocks/allows them according to the first packet.
If this option is OFF, LnS assumes that all packets are non-fragmented and tests tcp/upd/icmp head anyway (these headers don't exist in the fragmented packet, except the first one), which might be a problem.
So, this option should ALWAYS be checked. Right?
Also, this only works for standard ruleset. For enhanced and phantom ruleset, all fragmented packets are blocked by default.

-{ Quote: "thanks a lot, Frederic,
Now I understand LnS might work in this procedure:
If this option is ON, LnS will check IP ID, MF, Offset and test the first packet (offset=0). For other packets with the same ID, LnS just blocks/allows them according to the first packet.
If this option is OFF, LnS assumes that all packets are non-fragmented and tests tcp/upd/icmp head anyway (these headers don't exist in the fragmented packet, except the first one), which might be a problem.
" }-
Yes, this is exactly how it works.
-{ Quote: "
So, this option should ALWAYS be checked. Right?
" }-
If there is no fragmented packet on the network of your ISP, then it is not mandatory to set the option.
-{ Quote: "
Also, this only works for standard ruleset. For enhanced and phantom ruleset, all fragmented packets are blocked by default." }-
Yes, if you are talking about the first packet of a fragmented list, and if the first packet is blocked, the option is useless.

Frederic

-{ Quote: "
Yes, if you are talking about the first packet of a fragmented list, and if the first packet is blocked, the option is useless.

Frederic" }-
Hi, Frederic,
yes.
With the enhanced ruleset, the first fragmented packet will ALWAYS be blocked, because MF=1.

'IP : MF Flag Block' rule in EnhancedRulesSet is disabled by default, or I'm wrong?

Phant0m, you are right.:-* It's not ticked by default.

Yes, we prefered to let these rules as optional.

Frederic