|
Penetration Testing
mailing list archives
RE: Is ipchains -y secure enough?
From: "Golden_Eternity" <bhodi () bigfoot com>
Date: Tue, 5 Jun 2001 00:23:49 -0700
Be sure that the system is set to assemble fragmented packets. I don't know
if ipchains in particular is vulnerable to that problem, but I have heard of
other cases where it was possible to fragment a packet so that the TCP flags
weren't interpreted by the firewall and allowed to pass through.
Also, before you use '! -y', be sure you understand what it does. Since -y
triggers on packets that contain a syn and not ack or fin, the opposite of
that is a packet that contains fin and ack but not syn.
iptables provides much more control over the flags that trigger a rule, but
its still fairly new so that may or may not be an option for you.
-----Original Message-----
From: Philip Stoev [mailto:philip () stoev org]
Subject: Is ipchains -y secure enough?
Excuse me for the ignorance, but I would like to ask if the community
considers ipchains rules containing the -y flag as secure for
the purpose of
TCP filtering. Such a rule will prevent the stablishment of
TCP connections
to the host being firewalled. Is there a way to curcumvent such a
protection?
 By Date 
By Thread
Current thread:
| 
Intro
