Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: BUG: Win NT TCP/IP Security filters does not get enforced

From: stnor () SWEDEN HP COM (Stefan Norberg)
Date: Sun, 10 Oct 1999 15:21:39 +0200

Todd Sabin writes:

Apparently, the way it works is that for UDP and TCP, you completely
disable them by changing their setting to "Permit Only", and don't
permit any ports, rather than with the IP protocols box.  Since you
left UDP at permit all ports, your netcat test got through.

The IP Protocols box is protocols other than UDP and TCP.  Except for
ICMP.  You can't disable that at all, as you noticed.  Not being able
to disable ICMP was discussed on NTBugtraq a little while ago.



It seems that you are right.
I used PPTP (GRE) to test it and the RAS server did send an ICMP message
back:

14:49:19.769569 gre-proto-0x880B (gre encap)
14:49:19.769647 RASSERVER > CLIENT: icmp: RASSERVER protocol 47 unreachable

However, I still consider it a bug. The GUI is misleading. If I configure
the TCP/IP security using the GUI to "Permit *only* IP protocols: 6 (TCP)".
Then EVERYTHING including ICMP and UDP (regardless of other settings) should
be denied and NT should send an ICMP unreachable.

/stefan
Previous By Date Next
Previous By Thread Next

Current thread: