LINUX.IE, website of the Irish Linux Users' Group
Tux rules!

   
Home
New Users
Articles
Download
Projects
Community
Vendors

  Print Version
Email to...
 
Archives:


planetILUG

Recent News

News Archive


Join the
ILUG
on FaceBook


Join the
ILUG
on LinkedIn


Join the
ILUG SETI
Group



















 
 :: Mailing Lists

[ILUG] Firewalls... linux -v- BSD

[ILUG] Firewalls... linux -v- BSD

paul at clubi.ie paul at clubi.ie
Wed Aug 30 01:36:21 IST 2006 

On Tue, 29 Aug 2006, Harry Duncan wrote:

> what I think it means, is what facilitates fragmented packet attacks?

Which attacks are these?

Just like the "If your TCP stack is known buggy, you shouldn't allow 
/any/ TCP through - which can be done statelessly" case, same thing 
applies with IP fragmentation - you shouldn't allow /any/ IP 
fragments through really if some buggy host is known to barf. This, 
can again be done statelessly (filter out IP to that host with either 
More bit set, or fragment offset > 0)[1].

If you really can't get this machine fixed, and hence need some 
'middle-box' to keep state and fix up packets going to some known 
buggy host, then apply such /sparingly/ to known affected hosts only.

Your other hosts have no need for the problems a middle-box can cause 
by trying to foist state-validation on its packets.

> Would hope for the sake of my own network which is protected 
> statelessly that you will correct me on that!

I just did.

1. IP fragmentation is rare these days though.

    Now if only idiot[2] firewall designers/administrators would learn
    that YOU SHOULDN'T BLOCK ALL ICMP.

    I *keep* running into this one (I could set TCP mss clamping, but
    that only works for TCP and it's mildly amusing to regularly find
    new idiots to bat with clue stick).

2. For a value of idiot that can include otherwise knowledgeable and
    competent people, who just lack clue in the specific area of IP
    and configuring firewalls correctly. It's not meant to be quite as
    insulting as it sounds. ;)

regards,
-- 
Paul Jakma	paul at clubi.ie	paul at jakma.org	Key ID: 64A2FF6A
Fortune:
(CBG attends the Movementarians mass marriage ceremony)

CBG:	(to new bride) So, do you enjoy comic books?

 		The Joy Of Sect (Episode 5F23)

More information about the ILUG mailing list
Read this without the formatting.
                                                                                                    

  

Hosted by HEAnet


 Maintained by the ILUG website team. The aim of Linux.ie is to support and help commercial and private users of Linux in Ireland. You can display ILUG news in your own webpages, read backend information to find out how. Networking services kindly provided by HEAnet, server kindly donated by Dell. Linux is a trademark of Linus Torvalds, used with permission. No penguins were harmed in the production or maintenance of this highly praised website. Looking for the Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
RSS Version
Powered by Dell