Security

[Aaron]

> The ip_always_defrag flag breaks RFC's, so shouldn't be used on a device
> with connections to the internet on both sides (ie a back-bone router or
> similar), but it works fine when you've got complete control of the "near"
> side of the network (ie most firewall environments, which is really where
> you care about fragment attacks anyway).

Exactly.  If a firewall though, it's exactly what you want.

> Also curious...have you guys played with bypassing NAT translation to
> port-scan internal masqeraded systems?  If so, how sophisticated are the
> tools to do this?  I'm wondering how worried I should be about this form
of
> attack...

Yes.  It takes a little skill and practice.  Do a search on NMAP.  I can't
remember where I got it.  You'll be amazed how easy it is to bypass NAT and
some firewalls to scan internal systems.  Play with it for a few days and
then tell me how worried you should be. ;)

Aaron