Date: 21 May 2001 10:41:07 -0400 From: Lowell Gilbert <lowell@world.std.com> To: freebsd-security@freebsd.org Subject: Re: IPFW Rule -1 Always = Attack? Message-ID: <44ae4669z0.fsf@lowellg.ne.mediaone.net> In-Reply-To: diman@asd-g.com's message of "21 May 2001 13:45:44 %2B0200" References: <44y9rtf9ox.fsf@lowellg.ne.mediaone.net> <Pine.BSF.4.21.0105211239160.199-100000@portal.none.ua>
next in thread | previous in thread | raw e-mail | index | archive | help
diman@asd-g.com (diman) writes: > On 19 May 2001, Lowell Gilbert wrote: > > > dwplists@loop.com (D. W. Piper) writes: > > > > > If I understand things correctly from the archives and the IPFW man > > > page, IPFW rule -1 is built into the firewall, and only applies to > > > rejecting IP fragments with a fragment offset of one. The man page > > > further states, "This is a valid packet, but it only has one use, to try > > > to circumvent firewalls." > > > > > > Does that mean that every packet dropped by rule -1 indicates a > > > deliberate attempt to circumvent the firewall, and should be reported to > > > the appropriate network administrator for the source IP address? > > > > It's *possible* that the rule could be triggered by something that > > wasn't an attack. Thinking about it briefly, it seems slightly more > > likely that it's part of a probe, rather than an actual attack > > However, reporting to the network administrator for that address is > > almost certainly useless in any case, because an attacker would > > probably have spoofed that address anyway. [An attacker wouldn't ever > > get any response from that packet in any case.] > > Attacker can get answer from a destination host. It's a ipfw between > if he willn't. Easy rule :) This is incorrect. The attacker can't get an answer in either case. The destination host won't reply unless the packet with the fragment offset of zero *also* got through to that destination host, in which case this rule doesn't matter. If it isn't the case, the destination host will never get a whole packet, and will never respond. The "rule -1" situation is only useful (to attackers) as part of a traffic analysis scheme, and not terribly even for that. However, there's no downside to dropping these packets, so we do. - Lowell To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?44ae4669z0.fsf>