From owner-freebsd-questions@FreeBSD.ORG Tue Feb 15 23:11:07 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AF50416A4D0 for ; Tue, 15 Feb 2005 23:11:07 +0000 (GMT) Received: from wolf.bytecraft.au.com (wolf.bytecraft.au.com [203.39.118.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id C9A5343D39 for ; Tue, 15 Feb 2005 23:11:05 +0000 (GMT) (envelope-from MTaylor@bytecraft.com.au) Received: from localhost (localhost [127.0.0.1])j1FNB3SG096706; Wed, 16 Feb 2005 10:11:03 +1100 (EST) (envelope-from MTaylor@bytecraft.com.au) Received: from wolf.bytecraft.au.com ([127.0.0.1]) by localhost (wolf.bytecraft.au.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 96489-02-5; Wed, 16 Feb 2005 10:11:03 +1100 (EST) Received: from svmarshal.bytecraft.au.com ([10.0.0.4])j1FNAbhb096676; Wed, 16 Feb 2005 10:10:37 +1100 (EST) (envelope-from MTaylor@bytecraft.com.au) Received: from svmailmel.bytecraft.internal (Not Verified[10.0.0.24]) by svmarshal.bytecraft.au.com with MailMarshal (v5,0,3,78) id ; Wed, 16 Feb 2005 10:10:37 +1100 Received: from [10.0.17.42] ([10.0.17.42]) by svmailmel.bytecraft.internal with Microsoft SMTPSVC(6.0.3790.211); Wed, 16 Feb 2005 10:10:37 +1100 From: Murray Taylor To: dick hoogendijk In-Reply-To: <20050215223621.4f7790d8.dick@nagual.st> References: <20050215223621.4f7790d8.dick@nagual.st> Content-Type: text/plain Organization: Bytecraft Systems Message-Id: <1108509036.80214.162.camel@wstaylorm.dand06.au.bytecraft.au.com> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.6 Date: Wed, 16 Feb 2005 10:10:36 +1100 Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 15 Feb 2005 23:10:37.0302 (UTC) FILETIME=[8F3B2960:01C513B3] cc: freebsdquestions Subject: Re: ipfilter "flags s keep state" question X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: mtaylor@bytecraft.com.au List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Feb 2005 23:11:07 -0000 tcp rules can use 'keep frags' TCP packets allow fragmentation by intermediate routers that need re-assembly at the final destination On Wed, 2005-02-16 at 08:36, dick hoogendijk wrote: > I read a lot of rulesets for ipfilter just to study how others do the > job. > I've read the ipf HOWTO too. One thing is still very unclear to me > though. > Most rules for tcp have something like "flags S keep state" but *some* > have "flags S keep state keep frags" > > Can someone explain to me *when* to use keep frags and when not to? The > HOWTO is very unclear about this. What exactly is the use of this extra > 'keep frags'? -- Murray Taylor Special Projects Engineer --------------------------------- Bytecraft Systems & Entertainment P: +61 3 8710 2555 F: +61 3 8710 2599 D: +61 3 9238 4275 M: +61 417 319 256 E: mtaylor@bytecraft.com.au or visit us on the web http://www.bytecraftsystems.com http://www.bytecraftentertainment.com --------------------------------------------------------------- The information transmitted in this e-mail is for the exclusive use of the intended addressee and may contain confidential and/or privileged material. Any review, re-transmission, dissemination or other use of it, or the taking of any action in reliance upon this information by persons and/or entities other than the intended recipient is prohibited. If you received this in error, please inform the sender and/or addressee immediately and delete the material. E-mails may not be secure, may contain computer viruses and may be corrupted in transmission. Please carefully check this e-mail (and any attachment) accordingly. No warranties are given and no liability is accepted for any loss or damage caused by such matters. --------------------------------------------------------------- ***This Email has been scanned for Viruses by MailMarshal.***