Home page logo

firewall-wizards logo Firewall Wizards mailing list archives

RE: Inappropriate TCP Resets Considered Harmful
From: "Ofir Arkin" <ofir () sys-security com>
Date: Sat, 12 May 2001 11:31:45 +0200

I'm mainly of the opinion that ECN is experimental, and sends
non-RFC-compliant datagrams. I think that any firewalls that pass ECN
enabled TCP without being explicitly configured to do so aren't doing their
job properly.

I think this is, again, the question of who was here first the chicken or
the egg.
Some people might suggest that a firewall does not have to verify the
integrity of some fields values, before (or after) it process a packet.

Sure this is not an 'original' goal of Firewalls but, in my opinion,
firewalls should have more intelligence than they have today. I have raised
this point before. You can read my paper: "Unverified Fields - A Problem
with Firewalls & Firewall Technology Today", from my web site:


Having said that, maybe you should suggest a more appropriate firewall
response? IMHO (and I'm no RFC guru) I'd say that discarding the packet and
sending an ICMP parameter problem  error might be more informative. That
will still abort your prospective TCP connection, though. Would the ECN TCP
stacks cope better with this?

ICMP Parameter Problem Error message is sent for error conditions in the IP
Header which are not being reported by another ICMP Error message.

Just my 2 cents

Ofir Arkin [ofir () sys-security com]
The Sys-Security Group
PGP CC2C BE53 12C6 C9F2 87B1 B8C6 0DFA CF2D D360 43FA

firewall-wizards mailing list
firewall-wizards () nfr com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]