Ben Nagy wrote:
>
> Assuming that the packets make it past the first post, the _data_ in those
> packets gets handed off to userspace for further inspection. For this to
> happen, the FW TCP/IP stack needs to do all the normal TCP/IP stack things -
> reassembly, retransmission, reordering blah blah blah. Obviously the
> sequence numbers are used at this point.
I hope you realize that it looks like you're describing FW-1 here.
I'm not sure if that's what you intended, but for fw-1, it's pretty
much "dead wrong". FW-1 doesn't care jack about sequence numbers.
For all I know, you could shoot any application level command through
it by sending overlapping segments that rewrite the result at the
receiving host.
I would guess that the same applies to f.i. PIX, otherwise
the FTP PORT/PASV fun wouldn't have worked with them either,
which it did.
(Note: we're talking vanilla fw-1 here. I don't have a single clue
what happens in its "security servers", other than having seen
posts where people claim that they are simply proxies rebranded
so that fw-1 wouldn't have to be associated with such technology :)
--
Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 �RNSK�LDSVIK
Phone: +46 (0)660 29 92 00 Direct: +46 (0)660 29 92 05
Mobile: +46 (0)70 66 77 636 Fax: +46 (0)660 122 50
WWW: http://www.enternet.se/ E-mail: [EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
