Date: Sun, 3 Sep 2000 12:20:10 -0700 From: "Crist J . Clark" <cjclark@reflexnet.net> To: Dragos Ruiu <dr@kyx.net> Cc: Bill Fumerola <billf@chimesnet.com>, Nicolas <list@rachinsky.de>, freebsd-security@FreeBSD.ORG Subject: Re: ipfw and fragments Message-ID: <20000903122010.K62475@149.211.6.64.reflexcom.com> In-Reply-To: <0009030256211M.20066@smp.kyx.net>; from dr@kyx.net on Sun, Sep 03, 2000 at 02:22:52AM -0700 References: <007a01c01457$3b9eff80$e4aa603e@gottt> <0009022351571F.20066@smp.kyx.net> <20000903014453.H62475@149.211.6.64.reflexcom.com> <0009030256211M.20066@smp.kyx.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Sep 03, 2000 at 02:22:52AM -0700, Dragos Ruiu wrote: > On Sun, 03 Sep 2000, Crist J . Clark wrote: [snip] > Actually IP level fragmentation is definitely not an application > layer thing. (I'm not talking about TCP fragmentation.) But I'm > quibbling with semantics... No it occurs at the IP layer of course, but it typically is only of interest when the firewall is actually examining the contents of the packets, and that usually only happens in application layer firewalls. > My point is just that if you want to really do this appropriately > you should tag fragmented head packets that are allowed through > and allow subsequent fragments on that dest, port, and id #, > and then you should close that hole when you see the end > fragment go by, or a timeout occurs. The firewall should > not let through any other fragments except those belonging > to same datagram(dest,port,id) as allowed head fragment > packets. Otherwise, it is either very easy to set up covert > channels through your firewalls, or you have to break some > spec compliant applications. Sounds easier than it is. There is no guarantee that fragments with the tranport layer information will be the first ones there for example. And there is my personal favorite, you can fragment fragments. It's really easy to DOS a firewall if you're not _really_ careful. Just ask Checkpoint. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000903122010.K62475>