Firewalls: Re: sex, lies, and firewall code

Firewalls
(October 1997)

Indexed By Thread: [Previous] [Next]

Subject:	Re: sex, lies, and firewall code
From:	Peter da Silva <peter @ baileynm . com>
Date:	Tue, 21 Oct 1997 09:46:06 -0500 (CDT)
To:	brian @ firehouse . net (Brian Mitchell)
Cc:	firewalls @ GreatCircle . COM
In-reply-to:	<Pine . BSI . 3 . 95 . 971020222442 . 5505A-100000 @ shell . firehouse . net> from "Brian Mitchell" at Oct 20, 97 10:30:38 pm

> Define 'cleanly'. You could do the connect stuff in nonblocking mode then
> switch to blocking mode after one of the sockets is in the connected
> state.

But how do you have multiple "accept"s pending?

> decent stateless filters can block fragment attacks; stealth scans really
> cant be detected at the application level, so you are a loser there as
> well.

They can't be *detected*, but they can't get through a proxy either, since
the proxy won't accept the SYN/ACK.

The big thing is that when the next silly bugger figures out an IP level
attack, odds are the proxies will block it because they throw all that
information away.

Follow-Ups:

Re: sex, lies, and firewall code
From: Brian Mitchell <brian @ firehouse . net>

References:

Re: sex, lies, and firewall code
From: Brian Mitchell <brian @ firehouse . net>

Indexed By Date	Previous:	Re: IP addresses From: Ryan Russell/SYBASE <Ryan . Russell @ sybase . com>
Indexed By Date	Next:	Re: IP addresses From: Eric Vyncke <evyncke @ cisco . com>
Indexed By Thread	Previous:	Re: sex, lies, and firewall code From: Brian Mitchell <brian @ firehouse . net>
Indexed By Thread	Next:	Re: sex, lies, and firewall code From: Brian Mitchell <brian @ firehouse . net>