Date: Mon, 21 Aug 1995 21:28:10 -0600 From: Warner Losh <imp@village.org> To: peter@haywire.dialix.com (Peter Wemm) Cc: freebsd-hackers@FreeBSD.ORG Subject: Re: IPFW and SCREEND Message-ID: <199508220328.VAA08415@rover.village.org> In-Reply-To: Your message of 21 Aug 1995 22:58:29 %2B0800
next in thread | raw e-mail | index | archive | help
: It has IP and port filtering.. Since it's on a per-interface level, it : could be programmed to drop packets coming in that have your source : address, in an attempt to get around your security (recent CERT advisory). But does it have the ability to drop IP framgent that would overwrite the IP and TCP headers and thus allow traffic through that would otherwise be denied? A popluar recent attack is to have an acceptible IP packet fragment go through the firewall, then to send an IP fragment that had an offset of 1 or 4 and overwrite the "OK" header with "Evil" headers that would otherwise be blocked. ip_fil does do that, and as far as the author and our local security expert know, is the only one to do so other than recent Cisco releases. Not to say that screend is bad, or anything like that. Just curious as to what is the state of the art. Warner
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199508220328.VAA08415>