Great Circle Associates Firewalls
(July 1996)
 

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: IP Masquerading and vulnerabilities
From: Mike Shaver <shaver @ neon . ingenia . ca>
Date: Sun, 14 Jul 1996 02:17:52 -0400 (EDT)
To: peter @ baileynm . com (Peter da Silva)
Cc: cosmo @ ebs . net, firewalls @ GreatCircle . COM
In-reply-to: <9607131629 . AA19394 @ sonic . nmti . com . nmti . com> from "Peter da Silva" at Jul 13, 96 11:29:03 am

Thus spake Peter da Silva:
> 
> >    Linux 2.0 has an option to re-assemble all fragmented 
> >    packets going thru it before applying the filter which stops it.
> 
> Or just block packets that are too short to hold all the options. If you try
> and reassemble all the fragments that opens you up to a denial of service
> attack, and there really isn't any legitimate need to have packets that
> short.

The Linux 2.0 CONFIG_ALWAYS_DEFRAG stuff is designed to make the
transparent proxy and NAT code more correct; otherwise, you can get
things like PORT commands (which matter to the NAT stuff, obviously)
split between 2 fragments.

My recommendation is that the transparent proxy stuff is better than
the NAT stuff (Darren? =) ), but it's not quite as plug-and-play.

Mike

-- 
#> Mike Shaver (shaver @
 ingenia .
 com) Ingenia Communications Corporation <#
#>            Chief System Architect and Herder of Bits                <#
#>                                                                     <#
#> "Yoda say, `Just slap a little public key crypto into it' does not  <#
#>      a secure system make." -- Marcus J. Ranum (mjr @
 clark .
 net)      <#


Follow-Ups:
References:
Indexed By Date Previous: Re: Extending Financial Applications And Protecting via a Firewall
From: Mark Allyn 206-860-9454 <allyn @ allyn . com>
Next: RE: Dirty Dogs
From: "Emmanuel Turner" <et @ shadowfax . whanganui . ac . nz>
Indexed By Thread Previous: Re: IP Masquerading and vulnerabilities
From: peter @ baileynm . com (Peter da Silva)
Next: Re: IP Masquerading and vulnerabilities
From: Craig Brozefsky <cosmo @ ebs . net>

Google
 
Search Internet Search www.greatcircle.com