Enable the management of fragmented IP packets

Discussion in 'LnS English Forum' started by nuser, Jun 12, 2007.

Thread Status:
Not open for further replies.
  1. nuser

    nuser Registered Member

    Joined:
    May 31, 2007
    Posts:
    105
    Location:
    Singapore
    Hi, Frederic,
    In the advanced options, there is an "Enable Management of fragmented IP packets".

    From the help file:
    'Enable the management of blocked packet' this option configures the packet filter to have fragmented packet allowed or blocked according to the rule that applied to the first packet. It means ruleset doesn't apply to fragmented packet. A fragmented packet is allowed if the first packet was allowed, and blocked otherwise.


    (1) the names are inconsistent between LnS and the help file. Maybe the help file should be revised a little.
    (2) If I set some rules to block fragmented packets, they will always be blocked with the first matching rule. So, what the purpose of this option (Enable the management of fragmented IP packets)?o_O

    Thanks in advance.:thumb:
     
  2. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Hi nuser,

    Yes, there is a typo in the help file. It should be:
    • 'Enable the management of fragmented packet'...

    The purpose of the option is to not apply the ruleset directly on fragmented packets. A fragmented packet (not the first one) should be allowed if the first packet has been allowed, and blocked if the first packet has been blocked.
    Only the first packet contains the relevant information for filtering (TCP/UDP headers...), the other packets contains only the payload.

    Frederic
     
  3. nuser

    nuser Registered Member

    Joined:
    May 31, 2007
    Posts:
    105
    Location:
    Singapore
    Thanks a lot, Frederic,:thumb:
    So, the purpose is to 'save filtering time'. When LnS filters a fragmented packet, it caches the characteristics of this fragmented packet in the memory. Next time, when LnS meets the same type, LnS blocks/allows it immediately without matching the ruleset.
    Am I right?
     
  4. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    The purpose is not to save filtering time.
    The purpose is to filter accurately. As I explained, TCP/UDP headers (ports, flags) are valid only for the first packet of a list of fragmented packets. So the rule has to be applied only to the first packet.
    When a rule checking for instance a TCP port is applied on a fragmented packet (not the first one), it tests something which is not a port, when this option is not enabled, and some strange logging appear in the log...

    On the principle, yes it is something like that.

    Frederic
     
  5. nuser

    nuser Registered Member

    Joined:
    May 31, 2007
    Posts:
    105
    Location:
    Singapore
    thanks a lot, Frederic,
    Now I understand LnS might work in this procedure:
    If this option is ON, LnS will check IP ID, MF, Offset and test the first packet (offset=0). For other packets with the same ID, LnS just blocks/allows them according to the first packet.
    If this option is OFF, LnS assumes that all packets are non-fragmented and tests tcp/upd/icmp head anyway (these headers don't exist in the fragmented packet, except the first one), which might be a problem.
    So, this option should ALWAYS be checked. Right?
    Also, this only works for standard ruleset. For enhanced and phantom ruleset, all fragmented packets are blocked by default.
     
  6. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Yes, this is exactly how it works.
    If there is no fragmented packet on the network of your ISP, then it is not mandatory to set the option.
    Yes, if you are talking about the first packet of a fragmented list, and if the first packet is blocked, the option is useless.

    Frederic
     
  7. nuser

    nuser Registered Member

    Joined:
    May 31, 2007
    Posts:
    105
    Location:
    Singapore
    Hi, Frederic,
    yes.
    With the enhanced ruleset, the first fragmented packet will ALWAYS be blocked, because MF=1.
     
  8. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    'IP : MF Flag Block' rule in EnhancedRulesSet is disabled by default, or I'm wrong?
     
  9. nuser

    nuser Registered Member

    Joined:
    May 31, 2007
    Posts:
    105
    Location:
    Singapore
    Phant0m, you are right.:-* It's not ticked by default.
     
  10. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Yes, we prefered to let these rules as optional.

    Frederic
     
Thread Status:
Not open for further replies.