search for: config_ip_always_defrag

...y of the victim machine's operating system, it might be necessary to swap steps 1 and 2. It is important to note that there are two conditions that must be met for a particular ipchains packet filter to be vulnerable: 1. The packet filter must not be configured with the Linux kernel option CONFIG_IP_ALWAYS_DEFRAG. If the packet filter reassembles the fragments before doing the firewall checks, then this attack will fail. 2. The packet filter must have a rule to allow non-first fragments to pass. The Linux ipchains how-to suggests that either an administrator selects CONFIG_IP_ALWAYS_DEFRAG, or imp...