[...]
> given some other measures PIX takes to
> try to keep
> a low profile, like not decrementing TTL's in the IP header. But then
> again, that example is really another case of making yourself
> identifiable by trying to make yourself unidentifiable...
> d'oh... double
> irony.
>
> Michael
That's interesting - that should make it virtually impossible to map a PIX
ruleset with hping2 or firewalk (which is good) but it breaks the RFC for IP
routers (which is possibly bad).
(From RFC 791)
"[The IP TTL field] must be decreased at each point that the internet header
is processed to reflect the time spent processing the datagram."
I'm happy with how bridge-mode firewalls work, but the PIX acts as a router,
with all interfaces having an IP address - there's something wrong here...
Cheers,
--
Ben Nagy
Network Security Specialist
Marconi Services Australia Pty Ltd
Mb: +61 414 411 520 PGP Key ID: 0x1A86E304
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
