Rafi Sadowsky wrote: > > ## On 2002-04-08 21:03 +0200 Mikael Olsson typed: > MO> Paul Robertson wrote: > MO> > 2. Ditto ICMP without breaking unreachables, etc. > MO> > MO> I'm not quite following you here. > MO> Unless of course you're talking about a transparent proxy > MO> doing some ICMP error magic that I'm not familiar with, > MO> in which case you just invalidated your previous point :) > MO> > > For example: How about path MTU Discovery with different MTU's on both > sides of the Firewall? (assuming of course that p-MTU works at all ;-)
This is definately true. (If, of course, this is what Paul was referring to, which is not unlikely; I'm just being my usual dim bulb self.) I didn't consider PMTU. This is a good point. Although allowing (and consistency verifying) "fragmentation needed" errors through an SPF isn't exactly rocket science. Just a pain in the ass to do properly in order to avoid firewalking exposure. (Aaargh yes I know: with a proxy you wouldn't even have to worry. &%#&�#&%) I need to come up with better arguments or I'm going to come out looking a (bigger than usual) fool :) > MO> We offset all sequence numbers by random numbers generated by > MO> the Yarrow PRNG. > AFAIK the Cisco PIX will randomize TCP ISN numbers > What makes yours unique ? As I said: > MO> I just don't know of another example. Now I do. If the PIX does this, we are apparently not unique in this capability. (However, please note that I never claimed that we were.) This is good though: it makes me less of a marketroid, and gives me more ammo to use against Paul :) -- Mikael Olsson, Clavister AB Storgatan 12, Box 393, SE-891 28 �RNSK�LDSVIK, Sweden Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05 Fax: +46 (0)660 122 50 WWW: http://www.clavister.com _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
