>...., but it also has the > ability to defragment incoming packets for reassembly and proper > analysis.
Fragmented packets should be DROPPED. Packet reassembly sounds like a nifty feature to have, but it's a DoS attack from Hell just waiting for someone to write the code -- if they haven't yet. The only downside of dropping fragments is that in a few cases clients may need to tweak their MTUs. Fragmentation needs to be done at the UDP/TCP layer (ICMP never has a legitimate need for it) so every packet has the headers needed for security analysis. Dave Gillett > -----Original Message----- > From: Jason Dixon [mailto:[EMAIL PROTECTED]] > Sent: January 8, 2003 10:13 > To: [EMAIL PROTECTED] > Subject: RE: win2k firewall > > > On Tue, 2003-01-07 at 15:26, Daniel R. Miessler wrote: > > > Why would you tell someone to run blackice witch has bugs in it. > > > If your going to have a firewall, just grab a box that is > not being used > > > and put Openbsd on there and make your firewall that way. > > > > Because when you pass ports through a packet filter into a > machine offering > > services, OpenBSD isn't going to help you. There is little > difference > > between doing this and just turning off all services other > than the public > > ones and putting it right on the Internet with no protection at all. > > I hope you're simply trolling, because that has to be one of the most > asinine, ignorant responses I've seen on this list to date. You > obviously have little experience with firewalls. Do you > understand the > concepts of stateful inspection? TCP flags? > > An open server without firewall protection has no ability to protect > itself from spoofed or mangled connections. OpenBSD has a fully > functional, state-of-the-art packet inspection and state > engine in PF. > It not only has the ability to track full state in TCP(full sequence > tracking), UDP and ICMP (connection tracking), but it also has the > ability to defragment incoming packets for reassembly and proper > analysis. Not to mention the current QoS code that's been > released for > some time now, and the upcoming (6 months or so) stateful synching > abilities between disparate systems. > > OpenBSD/PF compete aggressively with all of the major commercial > offerings out there... FW-1, Netscreen, etc. To claim that OpenBSD is > inferior to BlackIce in any stretch of the imagination... is > laughable. > > I'm not here to criticize BlackIce or compare it to OpenBSD. > Rather, I > just wanted to point out that you have no idea what the hell you're > talking about when it comes to OpenBSD firewalls. > > -J. >
