Thorsten Kruschel <[EMAIL PROTECTED]> writes: > has anybody an Idea how to create an ICMP Packet with size of 1500 and > don't Fragment bit set? Or how to filter such Packets generally with > IPChains? > > I've the Problem, that a Maschine cancels the external connection some > times. No entrys in Syslog or anywhere else. In my Intrusion Detection I > see some maschines sending such Packets before the Maschine cancels the > Connection to the external Net.
If it's causing you problems, such as breaking the PMTU discovery (the typical one - what machines are giving you problems?), you shouldn't be filtering ICMP echo-requests. In ipchains, that's the best you can do - open yourself up to pings. In iptables, you can use the length module to filter by length within the ICMP protocol: | zsh, potato 2:52PM piglet % iptables -m length -h | tail [snip] | | length v1.2.5 options: | [!] --length length[:length] Match packet length against value or range ~Tim -- <http://spodzone.org.uk/> -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
