IP fragmentation rules in the 'enhanced ruleset'

Discussion in 'LnS English Forum' started by nuser, Jun 15, 2007.

Thread Status:
Not open for further replies.
  1. nuser

    nuser Registered Member

    Joined:
    May 31, 2007
    Posts:
    105
    Location:
    Singapore
    IP fragmentation offset 'different 1'

    Hi, Frederic,
    In the enhanced ruleset, there are 2 IP fragmentation rules, i.e., "different 0" and "MF".
    I just have 2 simple questions:

    (1) For legitimate fragmented packets, the flag might be 'MF', also, the offset might be non-zero (for example, 1480).
    Will LnS block such 'legitimate' packets?

    (2) Why does LnS introduce 'Equal 1' and 'different 1'? Is there any special reason for '1'?
    Thanks in advance.:thumb:
     
    Last edited: Jun 16, 2007
  2. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Re: IP fragmentation offset 'different 1'

    Normally the first rule blocks all packets saying MoreFragment, and the second rule blocks packets that are not the first one.
    Yes, both rules will actually block this kind of packet.
    But if you are supposed to receive fragmented packets on your network then either you should not use these two rules, or you should enable the advanced option to have legitimate fragmented packets properly handled (and in that case, the rules will catch packets not belonging to a fragment list, and this is correct).
    No, there is no reason. It was probably a bad understanding of fragmented packets ;) at the very beginning of Look 'n' Stop seven years ago. And it remained like that.

    Frederic
     
  3. nuser

    nuser Registered Member

    Joined:
    May 31, 2007
    Posts:
    105
    Location:
    Singapore
    Thanks a lot! Frederic,
    Appreciate your patience even to very basic or somewhat stupid questions of mine.:thumb:

    So, these 2 rules block ALL fragmented packets, which is not a problem in most cases.
    But, If I want to allow 'good fragmented', one way is to 'enable the management of fragmented IP packets'. Another way is to use raw edition to block 'bad packets', such as too small length/offset, size>65635.
    Wonder if some LnS guru can write some kind of tutorial on 'raw edit'.:p

    For the 'offset=1", from your explanation, seem it's useless:doubt:
     
    Last edited: Jun 17, 2007
Thread Status:
Not open for further replies.