Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Ambiguities in TCP/IP - firewall bypassing
From: cbrenton () slartibartfast pa net
Date: Sat, 19 Oct 2002 13:20:47 -0400 (EDT)

On Sat, 19 Oct 2002, Florian Weimer wrote:

As a result of this bug, it's quite complicated (if not impossible in
some configurations) to properly filter connection attempts to Linux 
hosts on Cisco IOS routers.
Actually, not really provided you are IOS 11.3 or higher.
If your access list is a whitelist with a "permit tcp any any
established" statement somewhere, it's very likely that you can bypass
the filter just by setting the RST in the initial SYN packet

True, which is why if you are relying on ACL's as your only line of 
defense you are better off doing a:

ip access-list extended filterout
permit tcp any reflect tcp-state

ip access-list extended filterin
evaluate tcp-state

Yes you will take a bigger performance hit with reflexive filters, but
it's worth it if it's your only line of defense. 


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]