Bugtraq mailing list archives
Re: BUG: Win NT TCP/IP Security filters does not get enforced
From: stnor () SWEDEN HP COM (Stefan Norberg)
Date: Sun, 10 Oct 1999 15:21:39 +0200
Todd Sabin writes:
Apparently, the way it works is that for UDP and TCP, you completely disable them by changing their setting to "Permit Only", and don't permit any ports, rather than with the IP protocols box. Since you left UDP at permit all ports, your netcat test got through. The IP Protocols box is protocols other than UDP and TCP. Except for ICMP. You can't disable that at all, as you noticed. Not being able to disable ICMP was discussed on NTBugtraq a little while ago.
It seems that you are right. I used PPTP (GRE) to test it and the RAS server did send an ICMP message back: 14:49:19.769569 gre-proto-0x880B (gre encap) 14:49:19.769647 RASSERVER > CLIENT: icmp: RASSERVER protocol 47 unreachable However, I still consider it a bug. The GUI is misleading. If I configure the TCP/IP security using the GUI to "Permit *only* IP protocols: 6 (TCP)". Then EVERYTHING including ICMP and UDP (regardless of other settings) should be denied and NT should send an ICMP unreachable. /stefan
Current thread:
- BUG: Win NT TCP/IP Security filters does not get enforced Stefan Norberg (Oct 08)
- Re: BUG: Win NT TCP/IP Security filters does not get enforced Stefan Norberg (Oct 10)
- Re: BUG: Win NT TCP/IP Security filters does not get enforced David LeBlanc (Oct 12)
- SCO OpenServer 5.0.5 overwrite /etc/shadow Brock Tellier (Oct 11)
- IE 5.0 security vulnerability - reading local (and from any domain, probably window spoofing is possible) files using IFRAME and document.execCommand Georgi Guninski (Oct 11)
- Re: SCO OpenServer 5.0.5 overwrite /etc/shadow Bela Lubkin (Oct 11)
- Re: SCO OpenServer 5.0.5 overwrite /etc/shadow Ralph the Wonder Llama (Oct 12)
- Re: SCO OpenServer 5.0.5 overwrite /etc/shadow Bela Lubkin (Oct 12)
- Xerox DocuColor 4 LP D.O.S Jason Lutz (Oct 13)
- Security of "Virtual Network Computer" Mikael Olsson (Oct 12)
- Re: Security of "Virtual Network Computer" Cameron Simpson (Oct 12)
- Re: Security of "Virtual Network Computer" Dan Foster (Oct 12)
- Re: BUG: Win NT TCP/IP Security filters does not get enforced Stefan Norberg (Oct 10)