IP'less bridging firewall

[full-disclosure () lists netsys com (Evrim ULU)]

Hi,

We have setup an ipless(0.0.0.0) bridging linux firewall using bridge-nf patch. 
At the begining, ipt_REJECT.c is not working since no interface has ip addr. 
Then we've made it to produce necessary TCP RST & ICMP Port unreachable packs. 
Now it's working quite well and no syn attacks can reach the machines behind the 
firewall.

Also, configuring it correctly leads to an invisible firewall. Firewalking can 
be eliminating using ttl module of iptables.

In addition, if there are insufficient ports open on the protected machine 
behind the firewall nmap may confuse while determining the os since rst packets 
are generated by firewall.

Onto this, random os stack fingerprinting can be added to confuse nmap etc.

On the other hand, we haven't tried to mangle the connections. If this can also 
be done, boxes behind the firewall can be protected more.

This firewall has 3 nic's and one is connected to my console box directly. Snort 
  is installed to dynamically block the flood/ddos/buffer overrun attacks.

Finally, we'r looking for test methods to penetrate this firewall. I've no idea 
how can this box be *hacked* & *abused* & *ddossed*?

*There is no spoon*
-------------------> *and no firewall either*

-- 
Evrim ULU
evrim () envy com tr / evrim () core gen tr
sysadm
http://www.core.gen.tr