Another hi!
We pretty much mean the same thing. The thing you said about a new SYN
from "it" did confuse me. You meant a new "SYN" (not really a packet
with SYN, just a SYN-alike order to the state-table) to the state-table.
But there is something importent that we have missed that all of a
sudden hit me. I don't think that FW-1 consider a packet with a FIN-flag
set to be a part of an established connection! What does FIN-mean? It's
a demand to take the session down! That is why is passes through...
/Robert Ståhlbrand, Ericsson Telecom AB
> -----Original Message-----
> From: Steve Birnbaum [SMTP:sbirn @
security .
org .
il]
> Sent: den 4 februari 1998 12:30
> To: Robert Ståhlbrand
> Cc: 'Marek Kubita'; 'firewalls @
greatcircle .
com'
> Subject: Re: FW-1 and FIN scanning (was: nmap tool)
>
>
> robert .
stahlbrand @
nmac .
ericsson .
se said:
> > If think this is done with a cache with all current connections.
> When
> > you clear the table (installing a policy) he just puts this cache
> > somewhere and after it has been installed lifting the cache back in
> > the system. Why should you put in more effort?
>
> I'm not so sure about that. Like I said, my understanding is that the
> connections allowed in are those that might be possible given the
> outgoing
> rules. That way it can dynamically rebuild the state table without
> having
> to re-establish the connection.
> If something claiming to be established
> from outsidebox:80 is allowed to insidebox:4005 then if insidebox
> doesn't
> reset the connection but rather responds to it, then it was "surely"
> part of
> an established session, allowing the firewall to add it to the table.
>
> Steve
>
> --
> sbirn @
security .
org .
il Phone: +972-2-6795860 (PGP key available)
> Fight Internet Spam! http://www.vix.com/spam/ Disclaimer: My
> opinions only.
>
> << File: ATT00187.ATT >>
|
|
