NetFilter
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Interesting article about punching holes in firewalls...

from [Cedric Blancher] [Permanent Link][Original]
To: Martijn Lievaart <m@rtij.nl>
Subject: Re: Interesting article about punching holes in firewalls...
From: Cedric Blancher <blancher@cartel-securite.fr>
Date: Wed, 20 Dec 2006 04:42:11 +0100
Cc: Mail List - Netfilter <netfilter@lists.netfilter.org>, Grant Taylor <gtaylor@riverviewtech.net>
Delivered-to: sp-com-lists@consult.net
Delivered-to: netfilter-list1@securepoint.com
In-reply-to: <4588351F.1040806@rtij.nl>
List-archive: </pipermail/netfilter>
List-help: <mailto:netfilter-request@lists.netfilter.org?subject=help>
List-id: General discussion and user questions <netfilter.lists.netfilter.org>
List-post: <mailto:netfilter@lists.netfilter.org>
List-subscribe: <https://lists.netfilter.org/mailman/listinfo/netfilter>, <mailto:netfilter-request@lists.netfilter.org?subject=subscribe>
List-unsubscribe: <https://lists.netfilter.org/mailman/listinfo/netfilter>, <mailto:netfilter-request@lists.netfilter.org?subject=unsubscribe>
Organization: Cartel Securite
References: <45860240.2040102@riverviewtech.net> <1166426813.8007.10.camel@anduril.intranet.cartel-securite.net> <4587B400.6080206@rtij.nl> <1166526302.12238.12.camel@anduril.intranet.cartel-securite.net> <4588351F.1040806@rtij.nl>
Sender: netfilter-bounces@lists.netfilter.org 
Le mardi 19 décembre 2006 à 19:53 +0100, Martijn Lievaart a écrit :
> ICMP filtering is not tricky. Just remember the rules.
> 1) NEVER, EVER, EVER filter out fragmentation needed.

;)

> 2) You may filter out ping, and the various destination unreachables, 
> the consequences are yours.

Actually, Fragmentation Needed is one of various Destination Unreachable
message... Type 3, code 4.

> 3) Everything else can be filtered without consequences.

Time Exceeded ?

> If you mean, it is hard for a firewall to filter malicious ICMPs but not 
> beneign ICMPs, the we agree. 

That was my point.

> I have not heard of an fragmentation needed attack yet, but I can
> imagine it happening (analogous to the zero windowsize attack).

You can use Frag Needed to degrade performances. See section 7 of:

http://www.gont.com.ar/drafts/icmp-attacks/draft-ietf-tcpm-icmp-attacks-01.txt

You can also use Source Quench.


-- 
http://sid.rstack.org/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  ip6tables problem, Asfand Yar Qazi
Next by Date:  Re: ip6tables problem, Petr Pisar
Previous by Thread:  Re: Interesting article about punching holes in firewalls..., Martijn Lievaart
Next by Thread:  Re: Interesting article about punching holes in firewalls..., Jozsef Kadlecsik
Indexes:  [Date] [Thread] [Top] [All Lists]