Re: IP fragmentation problem in the 2.0 kernels ?

Alan Cox (
Thu, 11 Sep 1997 20:17:16 +0100 (BST)

> > what a lot of folks do). Good high end firewalls don't have this problem and
> > actually test and process the icmp df frames for validity.
> Oh???? Linux is the only one I've heard of.....
> [hrm]
> Right. Okay, now I understand....
> Question - where could I find out how to figure out which ICMP DF frames
> are valid? (RFC?)

Take a look at the source to the "sf" firewall. Stateful firewalls keep
track of the sequence numbers and active tcp sockets. That means you can
pull the icmp header off the icmp df and look at the header its claiming
to have bounced and see if its sequence/ports are valid for a connection
you currently have.

> Yes - those who break the official IP specs should be slapped (hi
> mickysoft)... but noone is doing that these days <sigh>.... I DO
> remember before WWW - when such things WERE watched :)

The microsoft guys are actually fairly good.