mailing list archives
namp -f and FW-1
From: Lance Spitzner <lance () spitzner net>
Date: Wed, 24 May 2000 23:19:19 -0500 (CDT)
Just posted this to the FW-1 listserv, thought
you guys might be interested. As always, comments
appreciated (I'm still learning my fragmentation).
There has been a great deal of 'controversy' concerning
how FW-1 handles IP fragmentation. I'm not a big fan of
speculation, so I decided to test it myself. Below are
the results (tested on FW-1, ver 4.1 on Solaris x86 2.7)
Some understanding of IP Fragmentation is expected. Keep
in mind that the data legnth of Frag IP packets is increased
in increments of 8 bytes (Stevens).
1. FW-1 by default drops any fragmented packet that has
a data length of 8 or 16 bytes. At a minimum, the fragmented
IP packet must have a minimum data legnth of 24 bytes. This
means 'nmap -f' scans are dropped by default by FW-1. The
log entry will be rule 0 with info "reason: TCP packet too short".
2. Fragmented packets accepted by FW-1 rulebase (minimum 24 bytes)
are forwarded in the fragmented state. Frags in, frags out.
3. Fragmented packets not accepted by the FW-1 rulebase are not
forwarded. I DO NOT know if this means reassembly happens during
the inspection phase. More testing is required.
Does this mean that Windows systems are still vulnerable, I haven't
a clue, I'm a Unix weenie :)
All testing was done with snort, hping2, and nmap (my tools of
- namp -f and FW-1 Lance Spitzner (May 25)