Fragmentation and Reassembly of IP Datagrams
In a past life I worked for a large company, first as a network firewall administrator and eventually made my into the security team as a network security specialist, responsible for developing and auditing the network security standards. While I wrote many network related standards and best-practices documents, the following was definitely one of my favorites. I had to convert and sanitize the content and while it is very lengthy (and not suitable for a blog), I figured I give it a shot at posting to my site.
A special thanks to Yuri Kopylovski who helped me co-author this guide and to the many folks at www.anti-online.com who benefited from the content over the years. This was originally published in 2007 under my alias “aciscorouter” and has since been edited to include suggestions from the Anti-Online community.
You will note that the rule order is identified in the first column I provide with the samples under all descriptions (i.e. the very first rule is a drop rule against the firewall and the very last should be a “clean-up” rule).