[ILUG] Firewalls... linux -v- BSD
paul at clubi.ie
paul at clubi.ie
Wed Aug 30 01:36:21 IST 2006
On Tue, 29 Aug 2006, Harry Duncan wrote:
> what I think it means, is what facilitates fragmented packet attacks?
Which attacks are these?
Just like the "If your TCP stack is known buggy, you shouldn't allow
/any/ TCP through - which can be done statelessly" case, same thing
applies with IP fragmentation - you shouldn't allow /any/ IP
fragments through really if some buggy host is known to barf. This,
can again be done statelessly (filter out IP to that host with either
More bit set, or fragment offset > 0)[1].
If you really can't get this machine fixed, and hence need some
'middle-box' to keep state and fix up packets going to some known
buggy host, then apply such /sparingly/ to known affected hosts only.
Your other hosts have no need for the problems a middle-box can cause
by trying to foist state-validation on its packets.
> Would hope for the sake of my own network which is protected
> statelessly that you will correct me on that!
I just did.
1. IP fragmentation is rare these days though.
Now if only idiot[2] firewall designers/administrators would learn
that YOU SHOULDN'T BLOCK ALL ICMP.
I *keep* running into this one (I could set TCP mss clamping, but
that only works for TCP and it's mildly amusing to regularly find
new idiots to bat with clue stick).
2. For a value of idiot that can include otherwise knowledgeable and
competent people, who just lack clue in the specific area of IP
and configuring firewalls correctly. It's not meant to be quite as
insulting as it sounds. ;)
regards,
--
Paul Jakma paul at clubi.ie paul at jakma.org Key ID: 64A2FF6A
Fortune:
(CBG attends the Movementarians mass marriage ceremony)
CBG: (to new bride) So, do you enjoy comic books?
The Joy Of Sect (Episode 5F23)
More information about the ILUG
mailing list