Firewall Wizards mailing list archives
Re: Firewall-Wizards Digest V1 #311
From: Kevin Steves <stevesk () sweden hp com>
Date: Sun, 6 Jun 1999 09:12:43 +0200 (CEST)
On Thu, 3 Jun 1999, Ryan Russell wrote: : >Why not simply check the data field for the SR tag? A real proxy should : >be unable to forward traffic (source routed or not) without proxy : >intervention. : : Those types of things get stripped off before the daemon gets : the data, no? Doesn't all the interesting info below layer 4 get : "eaten" by the OS by the time an app using sockets gets : it? The rshd with RedHat 6.0 does this: if (!getsockopt(0, ipproto, IP_OPTIONS, (char *)optbuf, &optsize) && optsize != 0) { lp = lbuf; for (cp = optbuf; optsize > 0; cp++, optsize--, lp += 3) sprintf(lp, " %2.2x", *cp); syslog(LOG_NOTICE, "Connection received from %s using IP options (ignored):%s", inet_ntoa(fromp->sin_addr), lbuf); if (setsockopt(0, ipproto, IP_OPTIONS, NULL, optsize) != 0) { syslog(LOG_ERR, "setsockopt IP_OPTIONS NULL: %m"); exit(1); } } Nulling the options seems broken--though I'm unclear on the exact semantics. I think it should instead refuse (close) the connection. It seems from this point I could attempt to blind spoof since I've seen the ISN in the SYN,ACK.
Current thread:
- Re: Firewall-Wizards Digest V1 #311 Sandy Green (Jun 01)
- Re: Firewall-Wizards Digest V1 #311 Matt Curtin (Jun 01)
- Re: Firewall-Wizards Digest V1 #311 Carric Dooley (Jun 03)
- <Possible follow-ups>
- Re: Firewall-Wizards Digest V1 #311 Ryan Russell (Jun 03)
- Re: Firewall-Wizards Digest V1 #311 Chris Brenton (Jun 03)
- Re: Firewall-Wizards Digest V1 #311 Kevin Steves (Jun 14)
- Re: Firewall-Wizards Digest V1 #311 dreamwvr (Jun 03)
- Re: Firewall-Wizards Digest V1 #311 Chris Brenton (Jun 03)
- Re: Firewall-Wizards Digest V1 #311 Ryan Russell (Jun 03)
- Re: Firewall-Wizards Digest V1 #311 Ivan Arce (Jun 14)
- Re: Firewall-Wizards Digest V1 #311 Kevin Steves (Jun 14)
- Re: Firewall-Wizards Digest V1 #311 Matt Curtin (Jun 01)