Vulnerability Development mailing list archives

Re: iptables 'syn but not new' packets

From: "Alex Butcher (vuln-dev)" <vulndev () cocoa demon co uk>
Date: Tue, 11 Dec 2001 23:09:57 +0000 (GMT)

On Tue, 11 Dec 2001, Blue Boar wrote:

Firewall-1 has had this feature for some time.  I read recently that 
OpenBSD's new PF firewall can do this.  This is why I allowed the post..
I suspect there is some fun to be had with this feature, in various
implementations.


cf. Filling up Firewall-1's state table by ACK scanning a host 
behind one that's partially or fully exposed.

Actually, I believe that a lot of the "smart" functionality of FW-1 
regarding "known" connections has gone in recent versions because it was 
causing too many problems. I could well be wrong on this point though, as 
I haven't worked with FW-1 on a day-to-day basis for a little while... :)

BB


Best Regards,
Alex.
-- 
Alex Butcher         Brainbench MVP for Internet Security: www.brainbench.com
Berkshire, UK      Is *your* company hiring UNIX/Security/Pen. testing folks?
PGP/GnuPG ID:0x271fd950                      http://www.cocoa.demon.co.uk/cv/

Current thread:

iptables 'syn but not new' packets Leonardo Rodrigues (Dec 11)
- Re: iptables 'syn but not new' packets Blue Boar (Dec 11)
  - Re: iptables 'syn but not new' packets Alex Butcher (vuln-dev) (Dec 12)
  - Re: iptables 'syn but not new' packets Leonardo Rodrigues (Dec 13)
    - Re: iptables 'syn but not new' packets Cedric Blancher (Dec 14)
- <Possible follow-ups>
- Re: iptables 'syn but not new' packets Leonardo Rodrigues (Dec 13)