From owner-freebsd-security Sun Sep 3 12:20:16 2000 Delivered-To: freebsd-security@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 7941137B424 for ; Sun, 3 Sep 2000 12:20:12 -0700 (PDT) Received: from 149.211.6.64.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Sun, 3 Sep 2000 12:19:08 -0700 Received: (from cjc@localhost) by 149.211.6.64.reflexcom.com (8.9.3/8.9.3) id MAA49473; Sun, 3 Sep 2000 12:20:10 -0700 (PDT) (envelope-from cjc) Date: Sun, 3 Sep 2000 12:20:10 -0700 From: "Crist J . Clark" To: Dragos Ruiu Cc: Bill Fumerola , Nicolas , freebsd-security@FreeBSD.ORG Subject: Re: ipfw and fragments Message-ID: <20000903122010.K62475@149.211.6.64.reflexcom.com> Reply-To: cjclark@alum.mit.edu References: <007a01c01457$3b9eff80$e4aa603e@gottt> <0009022351571F.20066@smp.kyx.net> <20000903014453.H62475@149.211.6.64.reflexcom.com> <0009030256211M.20066@smp.kyx.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <0009030256211M.20066@smp.kyx.net>; from dr@kyx.net on Sun, Sep 03, 2000 at 02:22:52AM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, Sep 03, 2000 at 02:22:52AM -0700, Dragos Ruiu wrote: > On Sun, 03 Sep 2000, Crist J . Clark wrote: [snip] > Actually IP level fragmentation is definitely not an application > layer thing. (I'm not talking about TCP fragmentation.) But I'm > quibbling with semantics... No it occurs at the IP layer of course, but it typically is only of interest when the firewall is actually examining the contents of the packets, and that usually only happens in application layer firewalls. > My point is just that if you want to really do this appropriately > you should tag fragmented head packets that are allowed through > and allow subsequent fragments on that dest, port, and id #, > and then you should close that hole when you see the end > fragment go by, or a timeout occurs. The firewall should > not let through any other fragments except those belonging > to same datagram(dest,port,id) as allowed head fragment > packets. Otherwise, it is either very easy to set up covert > channels through your firewalls, or you have to break some > spec compliant applications. Sounds easier than it is. There is no guarantee that fragments with the tranport layer information will be the first ones there for example. And there is my personal favorite, you can fragment fragments. It's really easy to DOS a firewall if you're not _really_ careful. Just ask Checkpoint. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message