Date: Tue, 22 Aug 1995 21:03:49 +0200 (MET DST) From: guido@gvr.win.tue.nl (Guido van Rooij) To: imp@village.org (Warner Losh) Cc: peter@haywire.dialix.com, freebsd-hackers@FreeBSD.ORG Subject: Re: IPFW and SCREEND Message-ID: <199508221903.VAA00693@gvr.win.tue.nl> In-Reply-To: <199508220328.VAA08415@rover.village.org> from "Warner Losh" at Aug 21, 95 09:28:10 pm
next in thread | previous in thread | raw e-mail | index | archive | help
> But does it have the ability to drop IP framgent that would overwrite > the IP and TCP headers and thus allow traffic through that would > otherwise be denied? A popluar recent attack is to have an acceptible > IP packet fragment go through the firewall, then to send an IP > fragment that had an offset of 1 or 4 and overwrite the "OK" header > with "Evil" headers that would otherwise be blocked. ip_fil does do > that, and as far as the author and our local security expert know, is > the only one to do so other than recent Cisco releases. > > Not to say that screend is bad, or anything like that. Just curious > as to what is the state of the art. Just throw away *every* fragment that has as its start byte a byte in the TCP/IP header. (so smaller then 40) -Guido
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199508221903.VAA00693>