From owner-freebsd-security  Tue May 22 18: 8:34 2001
Delivered-To: freebsd-security@freebsd.org
Received: from nsmail.corp.globalstar.com (gibraltar.globalstar.com [207.88.248.142])
	by hub.freebsd.org (Postfix) with ESMTP id B38B337B424
	for <freebsd-security@FreeBSD.ORG>; Tue, 22 May 2001 18:08:31 -0700 (PDT)
	(envelope-from crist.clark@globalstar.com)
Received: from globalstar.com ([207.88.153.184]) by
          nsmail.corp.globalstar.com (Netscape Messaging Server 4.15) with
          ESMTP id GDRKHK00.M5Q; Tue, 22 May 2001 18:08:08 -0700 
Message-ID: <3B0B0D8C.3ADA76C1@globalstar.com>
Date: Tue, 22 May 2001 18:08:28 -0700
From: "Crist Clark" <crist.clark@globalstar.com>
Organization: Globalstar LP
X-Mailer: Mozilla 4.77 [en] (WinNT; U)
X-Accept-Language: en
MIME-Version: 1.0
To: diman <diman@asd-g.com>
Cc: Lowell Gilbert <lowell@world.std.com>,
	freebsd-security@FreeBSD.ORG
Subject: Re: IPFW Rule -1 Always = Attack?
References: <Pine.BSF.4.21.0105221226100.202-100000@portal.none.ua>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

diman wrote:

[snip]

> It might be 'icmp: reassembly time exceed' or something else - it's
> OS/Setup dependant. It might need more than 1 packet, but my point
> is: "rule -1"  can be used for ipfw detection/identification.
> There are no much security risk unless u wanna hide ur frierwall from
> peoples looks.

I cannot say for sure, but I would expect that there are many firewall
implementations that drop these kinds of fragments unconditionally.
-- 
Crist J. Clark                                Network Security Engineer
crist.clark@globalstar.com                    Globalstar, L.P.
(408) 933-4387                                FAX: (408) 933-4926

The information contained in this e-mail message is confidential,
intended only for the use of the individual or entity named above.  If
the reader of this e-mail is not the intended recipient, or the employee
or agent responsible to deliver it to the intended recipient, you are
hereby notified that any review, dissemination, distribution or copying
of this communication is strictly prohibited.  If you have received this
e-mail in error, please contact postmaster@globalstar.com

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message