I have hundreds of routers - all with connection tracking disabled.
I want to enter a single firewall rule to just drop dst tcp/80.
As soon as I enable any firewall rules routers start dropping fragmented packets. (microcell / femto’s break)
How can I allow fragmented packets to pass uninhibited and still sometimes use a single firewall rule? As soon as there is a single rule the router stops passing fragmented packets.
You need to enable connection tracking to make that work!
I dont want any connection-tracking, it slows things down. I am not enabling anything needing conn-track in the firewall and I for sure do not want packet reassembly. Is there no way to just route fragments as is? We have 1.5gbps of traffic and I for sure do not want to enable connection tracking on 100+ routers around the network.
When you don’t have connection tracking you cannot filter on port numbers, because they are not present in
subsequent fragments of a fragmented packet. Without connection tracking the router has no way of relating
fragments at nonzero offsets to the filtering rule.
add chain=input/forward protocol=tcp fragment=yes action=accept
this sounds correct and usable, however wouldn’t the implicit rule at the end of the chain just accept them anyhow?
I’d have thought so. I can’t see anything that suggests the the implict ACCEPT doesn’t accept fragments.