firewall hooks and fragmentation in 2.0.3x

Philip Gladstone (philip@raptor.com)
Wed, 11 Jun 1997 11:12:56 -0400

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Geert Uytterhoeven: "Re: clock speed"
Previous message: Rob: "Re: "obsolete" hardware"

All (who are interested in firewalls),

Currently, there is some inconsistency about which
packets go through the output INET firewall code, and how often.
I propose to make the rule the following:

***
Each IP datagram goes through the output INET firewall code
exactly once. Fragmentation happens *after* the output code has
said 'YES'. Further, the whole output datagram will be provided
to the output firewall code.
***

I realize that some people may have thought that the above description
describes how the code works, but there are various odd paths
involving large PINGs and general fragmentation.

Are there any arguments for a different description?

Philip

-- 
Philip Gladstone                           +1 617 487 7700
Raptor Systems, Waltham, MA         http://www.raptor.com/

Next message: Geert Uytterhoeven: "Re: clock speed"
Previous message: Rob: "Re: "obsolete" hardware"