Security Basics mailing list archives
RE: win2k firewall
From: "David Gillett" <gillettdavid () fhda edu>
Date: Mon, 13 Jan 2003 07:47:54 -0800
...., but it also has the ability to defragment incoming packets for reassembly and proper analysis.
Fragmented packets should be DROPPED. Packet reassembly sounds like a nifty feature to have, but it's a DoS attack from Hell just waiting for someone to write the code -- if they haven't yet. The only downside of dropping fragments is that in a few cases clients may need to tweak their MTUs. Fragmentation needs to be done at the UDP/TCP layer (ICMP never has a legitimate need for it) so every packet has the headers needed for security analysis. Dave Gillett
-----Original Message----- From: Jason Dixon [mailto:jasondixon () myrealbox com] Sent: January 8, 2003 10:13 To: security-basics () securityfocus com Subject: RE: win2k firewall On Tue, 2003-01-07 at 15:26, Daniel R. Miessler wrote:Why would you tell someone to run blackice witch has bugs in it. If your going to have a firewall, just grab a box that isnot being usedand put Openbsd on there and make your firewall that way.Because when you pass ports through a packet filter into amachine offeringservices, OpenBSD isn't going to help you. There is littledifferencebetween doing this and just turning off all services otherthan the publicones and putting it right on the Internet with no protection at all.I hope you're simply trolling, because that has to be one of the most asinine, ignorant responses I've seen on this list to date. You obviously have little experience with firewalls. Do you understand the concepts of stateful inspection? TCP flags? An open server without firewall protection has no ability to protect itself from spoofed or mangled connections. OpenBSD has a fully functional, state-of-the-art packet inspection and state engine in PF. It not only has the ability to track full state in TCP(full sequence tracking), UDP and ICMP (connection tracking), but it also has the ability to defragment incoming packets for reassembly and proper analysis. Not to mention the current QoS code that's been released for some time now, and the upcoming (6 months or so) stateful synching abilities between disparate systems. OpenBSD/PF compete aggressively with all of the major commercial offerings out there... FW-1, Netscreen, etc. To claim that OpenBSD is inferior to BlackIce in any stretch of the imagination... is laughable. I'm not here to criticize BlackIce or compare it to OpenBSD. Rather, I just wanted to point out that you have no idea what the hell you're talking about when it comes to OpenBSD firewalls. -J.
Current thread:
- RE: win2k firewall, (continued)
- RE: win2k firewall H C (Jan 07)
- RE: win2k firewall Daniel R. Miessler (Jan 07)
- RE: win2k firewall josh (Jan 08)
- RE: win2k firewall Daniel R. Miessler (Jan 08)
- RE: win2k firewall H C (Jan 08)
- RE: win2k firewall Daniel R. Miessler (Jan 08)
- RE: win2k firewall H C (Jan 08)
- RE: win2k firewall Daniel R. Miessler (Jan 08)
- RE: win2k firewall Jimmy Sansi (Jan 09)
- RE: win2k firewall Jason Dixon (Jan 11)
- RE: win2k firewall David Gillett (Jan 13)
- RE: win2k firewall Richard H. Cotterell (Jan 21)