Penetration Testing mailing list archives
RE: Is ipchains -y secure enough?
From: "Golden_Eternity" <bhodi () bigfoot com>
Date: Tue, 5 Jun 2001 00:23:49 -0700
Be sure that the system is set to assemble fragmented packets. I don't know if ipchains in particular is vulnerable to that problem, but I have heard of other cases where it was possible to fragment a packet so that the TCP flags weren't interpreted by the firewall and allowed to pass through. Also, before you use '! -y', be sure you understand what it does. Since -y triggers on packets that contain a syn and not ack or fin, the opposite of that is a packet that contains fin and ack but not syn. iptables provides much more control over the flags that trigger a rule, but its still fairly new so that may or may not be an option for you.
-----Original Message----- From: Philip Stoev [mailto:philip () stoev org] Subject: Is ipchains -y secure enough? Excuse me for the ignorance, but I would like to ask if the community considers ipchains rules containing the -y flag as secure for the purpose of TCP filtering. Such a rule will prevent the stablishment of TCP connections to the host being firewalled. Is there a way to curcumvent such a protection?
Current thread:
- Is ipchains -y secure enough? Philip Stoev (Jun 04)
- RE: Is ipchains -y secure enough? Golden_Eternity (Jun 05)
- Re: Is ipchains -y secure enough? Marius Huse Jacobsen (Jun 07)
- <Possible follow-ups>
- RE: Is ipchains -y secure enough? Firehose () cavu com (Jun 24)
- RE: Is ipchains -y secure enough? Golden_Eternity (Jun 05)