Bugtraq: Re: Possible security hole

[wbarrow () LOCKED COM (Warren Barrow)]

it is quite possible that -any- firewall may be incorrectly configured.. I
would have to say that a good portion of firewalls are running in
production mode with incorrect configurations. If you read -further- into
the FW-1 documentation it states that it is highly advisable to enable
"control ip forwarding at boot".  ..with this option enabled, fw-1 will
make sure the interface does not come up until the security policy is
loaded and in place.

If you are running firewall-1 v3.0b, it is time to upgrade... 4.0 is out
and has many a fix added.

-Warren Barrow/CCSE



At 08:09 AM 3/29/99 -0300, you wrote:
> Quoting Christoforos Karatzinis <chka () SOLUTIONS IE>:
>
> Hi,
>     The FW1 documentation clearly states that there is
> a small delay after the interface initialize's and the
> FW starts acting on it.  It is possible to do something
> "bad" to it in this period...
>
> Regards,
> Cristiano Lincoln Mattos
> Recife / Brazil
>
> > The first 25 packets were lost before the interface's
> initialization. The
> > packets with sequence number greater than 34 are droped
> from the firewall.
> > What about the packets with sequence number 25-34? Is it
> possible that
> > someone can use this time (after the interface's
> initialization and before
> > the firewall's initialization) to do something bad?
> >
> > Regards,
> > Christofer