Hi guys.
So what I was expecting is if scrub is disabled, that fragmented packets are passed through by the firewall as fragmented packets, so not modified.
However I ran some tests using a 3rd party tester, which only passed when scrub was enabled, which is interesting as scrub reassembles the packets. This suggests to me that perhaps the test is flawed, as it should really be testing if the packets remained fragmented, but it accepted the packets when they were not fragmented anymore.
The test I used is here. 2nd test on the page.
http://icmpcheckv6.popcount.org/
The command line test so not needing a browser is using this command
With scrub enabled both tests pass.
With scrub disabled the web test fails, the command test also fails but with a much longer failure, and a error "recv failed: permission denied".
If scrub is disabled are specific rules needed to allow through fragmented packets, and would fragmented packets been returned in response to an outbound request be traversed over NAT?
If specific rules are enabled, how would fragmented packets be identified in a rule?
Thanks
So what I was expecting is if scrub is disabled, that fragmented packets are passed through by the firewall as fragmented packets, so not modified.
However I ran some tests using a 3rd party tester, which only passed when scrub was enabled, which is interesting as scrub reassembles the packets. This suggests to me that perhaps the test is flawed, as it should really be testing if the packets remained fragmented, but it accepted the packets when they were not fragmented anymore.
The test I used is here. 2nd test on the page.
http://icmpcheckv6.popcount.org/
The command line test so not needing a browser is using this command
curl -v -s http://icmpcheck.popcount.org/frag -o /dev/null
With scrub enabled both tests pass.
With scrub disabled the web test fails, the command test also fails but with a much longer failure, and a error "recv failed: permission denied".
If scrub is disabled are specific rules needed to allow through fragmented packets, and would fragmented packets been returned in response to an outbound request be traversed over NAT?
If specific rules are enabled, how would fragmented packets be identified in a rule?
Thanks