Firewall Rules/connection troubles

Giorgos Keramidas keramida at
Sat Apr 12 16:00:21 PDT 2003

On 2003-04-12 14:40, Jeff Penn <jeff at> wrote:
>On Sat, Apr 12, 2003 at 08:30:57AM +0300, Giorgos Keramidas wrote:
>>   h. You're blocking fragments.  It's not always a good idea.
> Provided most rules use check-state, and the 'deny frag' rule follows
> the check-state rules, won't valid fragments be passed by dynamic rules?

No.  A fragment can not always match a check-state rule or a rule with
keep-state further down.  A fragment is allowed to have an offset and a
size, specifying what part of the original packet it covers.  Bearing in
mind that the IP packet header is 20 bytes (without options), and the
TCP header is also 20 bytes (also without options), any fragment after
the first 40 bytes does not include source & destination address/port
information.  It cannot be checked against the check-state rule and it
won't match a setup rule either.

More information about the freebsd-questions mailing list