On Wed, 10 Apr 2002, Mikael Olsson wrote: > Hm. I must be missing something here. I don't think of inbound > ICMP errors as being very harmful. (Given that they've > been structurally verified and so on.)
Anything inbound is a potential tunnel, and everything inbound needs to be rate-limited. > Inbound unreachables do have the potential of cutting connections > a bit more uncontrollably than TCP RSTs, but the same is true > even if the proxy firewall originated its own outbound connection. > > Outbound ICMP errors on the other hand is a different story, of course. > (Firewalk & co). Unfortunately, more people are worried about what comes in than what goes out (most people should be equally worried.) > > Reordering "properly" is OS dependent. That's why multiple overlapping > > frags are "interesting" IDS attacks. > > Yeah, if you allow overlapping frags, "properly" is hard (impossible?) > to define. We don't allow overlaps. (I'd very much like to learn what > others are doing though. Lance's writeup on FW-1 and fragmentation > didn't exactly leave me reassured :/ ) The issue becomes how much checking is someone doing with frags- as it becomes a pretty plausible DoS attack to send pseudo-initial frags in some instances > And here's one more for proxies: most (all?) proxy firewalls ride > on top of full-fledged OSes, and when the proxy dies, it tends > to leave to OS somewhat unshielded :) Unshielded how? If the proxy code is all that's bound to sockets, the exposure window isn't all that horrific is it? > OTOH, the same is true for at least the majority of the SPFs. %&#%�. Darnit! No fair taking my points! ;) > ObFsckups: It was very amusing to see what happened to an FW-1 box > (delivered and configured by checkpoint; the default solaris inetd.conf > left untouched) when the FW-1 license file decided to go invalid. Ouch. It's worse- for that particular product, the intense ammount of "it all happens before anything touches the host stack, so we don't need to worry about that" protection is nullified in the case of the management ports and VPN endpoint. Oops! Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions [EMAIL PROTECTED] which may have no basis whatsoever in fact." _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
