Nmap Announce mailing list archives
namp -f and FW-1
From: Lance Spitzner <lance () spitzner net>
Date: Wed, 24 May 2000 23:19:19 -0500 (CDT)
Just posted this to the FW-1 listserv, thought you guys might be interested. As always, comments appreciated (I'm still learning my fragmentation). There has been a great deal of 'controversy' concerning how FW-1 handles IP fragmentation. I'm not a big fan of speculation, so I decided to test it myself. Below are the results (tested on FW-1, ver 4.1 on Solaris x86 2.7) Some understanding of IP Fragmentation is expected. Keep in mind that the data legnth of Frag IP packets is increased in increments of 8 bytes (Stevens). 1. FW-1 by default drops any fragmented packet that has a data length of 8 or 16 bytes. At a minimum, the fragmented IP packet must have a minimum data legnth of 24 bytes. This means 'nmap -f' scans are dropped by default by FW-1. The log entry will be rule 0 with info "reason: TCP packet too short". 2. Fragmented packets accepted by FW-1 rulebase (minimum 24 bytes) are forwarded in the fragmented state. Frags in, frags out. 3. Fragmented packets not accepted by the FW-1 rulebase are not forwarded. I DO NOT know if this means reassembly happens during the inspection phase. More testing is required. Does this mean that Windows systems are still vulnerable, I haven't a clue, I'm a Unix weenie :) All testing was done with snort, hping2, and nmap (my tools of choice). Lance Spitzner http://www.enteract.com/~lspitz/papers.html
Current thread:
- namp -f and FW-1 Lance Spitzner (May 24)