Firewall Wizards mailing list archives
Re: FW-1 initiate connection rule
From: Frédéric FROISSART <frederic.froissart () icdc caissedesdepots fr>
Date: Fri, 08 Dec 2000 11:32:56 +0100
Hi everybody, Lance Spitzner wrote:
Just thought of a cool rule hack for CheckPoint FW-1 firewalls. Many of you may have thought of this before, but I haven't seen it discussed. 1. PROBLEM ----------- Many FW-1 installations only inspect inbound packets as opposed to eitherbound. This is done on purpose. For large, complex rulebases, eitherbound rule sets can be difficult to troubleshoot. Many organizations choose to inspect packets only inbound as it is far easier to maintain and troubleshoot. This exposes FW-1 installations to risk. Attacks can be used against the firewall that are based on the firewall initiating connections (which would not be inspected). Examples include packets who's TTL expire at the firewall, causing the firewall to initiate a ICMP TTL error message which can be used to map firewall rulebases.
Have you got other examples of similar attacks that are based on the firewall initiating connections? Fred _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- FW-1 initiate connection rule Lance Spitzner (Dec 08)
- Re: FW-1 initiate connection rule Frédéric FROISSART (Dec 09)
- Re: FW-1 initiate connection rule Lance Spitzner (Dec 09)
- Re: FW-1 initiate connection rule Frédéric FROISSART (Dec 09)