From owner-freebsd-hackers Tue Aug 22 12:06:22 1995 Return-Path: hackers-owner Received: (from majordom@localhost) by freefall.FreeBSD.org (8.6.11/8.6.6) id MAA10384 for hackers-outgoing; Tue, 22 Aug 1995 12:06:22 -0700 Received: from who.cdrom.com (who.cdrom.com [192.216.222.3]) by freefall.FreeBSD.org (8.6.11/8.6.6) with ESMTP id MAA10375 for ; Tue, 22 Aug 1995 12:06:21 -0700 Received: from gvr.win.tue.nl (gvr.win.tue.nl [131.155.210.19]) by who.cdrom.com (8.6.11/8.6.11) with ESMTP id MAA19128 for ; Tue, 22 Aug 1995 12:05:56 -0700 Received: by gvr.win.tue.nl (8.6.10/1.53) id VAA00693; Tue, 22 Aug 1995 21:03:50 +0200 From: guido@gvr.win.tue.nl (Guido van Rooij) Message-Id: <199508221903.VAA00693@gvr.win.tue.nl> Subject: Re: IPFW and SCREEND To: imp@village.org (Warner Losh) Date: Tue, 22 Aug 1995 21:03:49 +0200 (MET DST) Cc: peter@haywire.dialix.com, freebsd-hackers@FreeBSD.ORG In-Reply-To: <199508220328.VAA08415@rover.village.org> from "Warner Losh" at Aug 21, 95 09:28:10 pm X-Mailer: ELM [version 2.4 PL24] Content-Type: text Content-Length: 779 Sender: hackers-owner@FreeBSD.ORG Precedence: bulk > But does it have the ability to drop IP framgent that would overwrite > the IP and TCP headers and thus allow traffic through that would > otherwise be denied? A popluar recent attack is to have an acceptible > IP packet fragment go through the firewall, then to send an IP > fragment that had an offset of 1 or 4 and overwrite the "OK" header > with "Evil" headers that would otherwise be blocked. ip_fil does do > that, and as far as the author and our local security expert know, is > the only one to do so other than recent Cisco releases. > > Not to say that screend is bad, or anything like that. Just curious > as to what is the state of the art. Just throw away *every* fragment that has as its start byte a byte in the TCP/IP header. (so smaller then 40) -Guido