Date: Wed, 16 Feb 2005 17:11:57 +0100 From: Dick Hoogendijk <dick@nagual.st> To: freebsd-questions <freebsd-questions@freebsd.org> Subject: Re: ipfilter "flags s keep state" question Message-ID: <20050216161156.GA17882@lothlorien.nagual.st> In-Reply-To: <1108509036.80214.162.camel@wstaylorm.dand06.au.bytecraft.au.com> References: <20050215223621.4f7790d8.dick@nagual.st> <1108509036.80214.162.camel@wstaylorm.dand06.au.bytecraft.au.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 16 Feb Murray Taylor wrote: > tcp rules can use 'keep frags' > TCP packets allow fragmentation by intermediate routers > that need re-assembly at the final destination > > On Wed, 2005-02-16 at 08:36, dick hoogendijk wrote: > > I read a lot of rulesets for ipfilter just to study how others do > > the job. I've read the ipf HOWTO too. One thing is still very > > unclear to me though. Most rules for tcp have something like "flags > > S keep state" but *some* have "flags S keep state keep frags" > > > > Can someone explain to me *when* to use keep frags and when not to? > > The HOWTO is very unclear about this. What exactly is the use of > > this extra 'keep frags'? YES, I know tcp packets can get fragmented. I wander however why in most cases people just use "keep state" and *sometimes* "keep state keep frags" I really like to know when or when not to use "keep frags" In other words: when is it really useful and when is it not? -- dick -- http://nagual.st/ -- PGP/GnuPG key: F86289CE ++ Running FreeBSD 4.11 ++ FreeBSD 5.3 + Nai tiruvantel ar vayuvantel i Valar tielyanna nu vilja
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050216161156.GA17882>