Penetration Testing mailing list archives
Re: Is ipchains -y secure enough?
From: "Marius Huse Jacobsen" <mahuja () c2i net>
Date: Thu, 7 Jun 2001 17:56:01 +0200
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Excuse me for the ignorance,
Better ask than stay ignorant :)
but I would like to ask if the community considers ipchains rules containing the -y flag as secure for the purpose of TCP filtering. Such a rule will prevent the establishment of TCP connections to the host being firewalled. Is there a way to circumvent such a protection?
Be sure that the system is set to assemble fragmented packets. I don't know if ipchains in particular is vulnerable to that problem, but I have heard of other cases where it was possible to fragment a packet so that the TCP flags weren't interpreted by the firewall and allowed to pass through.
Ipchains too. I don't know if they fixed it for the latest version(s). I believe the fragrouter program demonstrated it? AFAIR, the tcp header could, after being reviewed by ipchains as good (e.g. normal packet from port 80 to port 2305), be accepted, with fragmentation later overwriting the header so the target receives a packet (say, syn port 40389 to port 25) Possibly the changes possible were even more limited than this. This would however, depend on fragmentation handling on the target computer. And, it would not work if you set the box to reassemble all packets passing through.
iptables provides much more control over the flags that trigger a rule, but its still fairly new so that may or may not be an option for you.
There was a security hole in the ftp extension to it - an attacker could make the firewall expect (accept) a connection. -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.1 iQA/AwUBOx+j9qiljHbgv3neEQJUBgCfSesL97ySz39eVlRxumZxHfPtUkEAnRc+ xIJd+rdR5kLRzk2SkJfBI3xY =C95T -----END PGP SIGNATURE----- Don't look at computer security as a cage, but as a shield.
Current thread:
- Is ipchains -y secure enough? Philip Stoev (Jun 04)
- RE: Is ipchains -y secure enough? Golden_Eternity (Jun 05)
- Re: Is ipchains -y secure enough? Marius Huse Jacobsen (Jun 07)
- <Possible follow-ups>
- RE: Is ipchains -y secure enough? Firehose () cavu com (Jun 24)
- RE: Is ipchains -y secure enough? Golden_Eternity (Jun 05)