Bugtraq mailing list archives
Re: Ambiguities in TCP/IP - firewall bypassing
From: cbrenton () slartibartfast pa net
Date: Sat, 19 Oct 2002 13:20:47 -0400 (EDT)
On Sat, 19 Oct 2002, Florian Weimer wrote:
As a result of this bug, it's quite complicated (if not impossible in some configurations) to properly filter connection attempts to Linux hosts on Cisco IOS routers.
Actually, not really provided you are IOS 11.3 or higher.
If your access list is a whitelist with a "permit tcp any any established" statement somewhere, it's very likely that you can bypass the filter just by setting the RST in the initial SYN packet
True, which is why if you are relying on ACL's as your only line of defense you are better off doing a: ip access-list extended filterout permit tcp 219.80.71.0 0.0.0.255 any reflect tcp-state ip access-list extended filterin evaluate tcp-state Yes you will take a bigger performance hit with reflexive filters, but it's worth it if it's your only line of defense. HTH, C
Current thread:
- Ambiguities in TCP/IP - firewall bypassing Paul Starzetz (Oct 18)
- Re: Ambiguities in TCP/IP - firewall bypassing Alan DeKok (Oct 18)
- Re: Ambiguities in TCP/IP - firewall bypassing Benjamin Krueger (Oct 18)
- Re: Ambiguities in TCP/IP - firewall bypassing Alun Jones (Oct 18)
- RE: Ambiguities in TCP/IP - firewall bypassing John Fitzgerald (Oct 19)
- Re: Ambiguities in TCP/IP - firewall bypassing Tony Finch (Oct 19)
- Re: Ambiguities in TCP/IP - firewall bypassing Alan DeKok (Oct 18)
- Re: Ambiguities in TCP/IP - firewall bypassing Luis Bruno (Oct 19)
- Re: Ambiguities in TCP/IP - firewall bypassing Lyndon Nerenberg (Oct 21)
- Re: Ambiguities in TCP/IP - firewall bypassing Benjamin Krueger (Oct 18)
- Re: Ambiguities in TCP/IP - firewall bypassing Alan DeKok (Oct 18)
- Re: Ambiguities in TCP/IP - firewall bypassing cbrenton (Oct 19)
- Re: Ambiguities in TCP/IP - firewall bypassing Aaron Hopkins (Oct 19)
- Re: Ambiguities in TCP/IP - firewall bypassing Florian Weimer (Oct 22)