IP Fragment

Discussion in 'LnS English Forum' started by nuser, Jun 2, 2007.

Thread Status:
Not open for further replies.
  1. nuser

    nuser Registered Member

    Joined:
    May 31, 2007
    Posts:
    105
    Location:
    Singapore
    Hi,
    In the enhanced rules, there are 2 rules concerning the 'IP Fragmentation', with 'different 0' for frag offset and 'MF' for frag flags, respectively.

    Are IP packages with these 2 flags always illegal?

    what the difference between 'equal 0' and 'difference 0"?
     
  2. Climenole

    Climenole Look 'n' Stop Expert

    Joined:
    Jun 3, 2005
    Posts:
    1,640
    Hi nuser :)


    A fragmented IP packet is a packet with any fragment flag
    or differend from any frag flag...

    Did these type of packets are always illegal? I'm not sure.
    We have to confirm this with Frédéric since there is some internet connection providers who needs some fragmented packets to works... Did it's the same kind of fragmented packet? I'm not sure...


    This is for the Fragment Offset :

    For DF (Don't Fragment)

    0 means fragmentation forbidden
    1 means fragmentation alllowed

    For MF (More Fragment)

    0= last fragment
    1= more fragments

    This must be understood in combination of the Fragments Flags:

    The possibilities are:

    ALL,
    DF (fragmentation forbidden),
    !DF (fragmentation allowed),
    MF (more fragments authorised),
    !MF (last fragment),
    DF+MF (fragmentation forbidden AND more fragments authorised),
    DF+!MF (fragmentation forbidden AND last fragment) ,
    !DF+MF (fragmentation allowed AND more fragments authorised),
    !DF+!MF (fragmentation allowed AND last fragment).

    :)

    OK. That my last answer for tonight: my brain is now fragmented!
    No MF ! ;)

    :)
     
  3. WinCenzo

    WinCenzo Registered Member

    Joined:
    Jun 5, 2007
    Posts:
    5
    HI Climenole, i'm user of L'n'S and i red many of your posts, and i want say thx for your help.

    However i'm going to ask something about this topic. In fact i wish to made a rule more strict for DNS, in example, and looking in the log i see that the packets for DNS connections are set DF: 0 MF: 0 Frag Offset: 0
    So i was wondering what are the correct settings in the fagmentation fields of the rules configuration.
    I tried to do it by myself, but it seems i don't understand how it work properly, so i hope you can help me!

    Sorry for my english and Thx however for all.
     
  4. Climenole

    Climenole Look 'n' Stop Expert

    Joined:
    Jun 3, 2005
    Posts:
    1,640
    Hi WinCenzo :)

    If you attempt to have a more restrictive DNS rules you'll have some problems...

    Most of the time the DNS requests are set to DF 0 MF 0 or DF 1 MF 0...

    A rule must increase the security (here the respect of TCP-IP / DNS standards)
    not to restrict things until they are unusable...

    The DNS rule is secure and usable. Don't fix what ain't broken ! ;)

    :)
     
  5. WinCenzo

    WinCenzo Registered Member

    Joined:
    Jun 5, 2007
    Posts:
    5
    Ok that's right, it was only way to increase my knowledge about L'n's, becouse it wasn't for me very clear this function about fragmentation.
    But i'm not so expert, as you say, don't fix what ain't broken :D

    Thx for all :thumb:
     
Thread Status:
Not open for further replies.