Firewall Wizards mailing list archives

Re: Crafted Packets Handling by Firewalls

From: "Ryan Russell" <Ryan.Russell () sybase com>
Date: Wed, 19 Jan 2000 11:06:59 -0800

For example: CheckPoint Firewall-1

Assume port 80 is open to the www server. It lets a SYN-ACK
packet go throw  when no SYN was first sent from the probing host.
SYN-ACK is not the only example, SYN-FIN, RST , FIN,
FIN-ACK basically any TCP flag crafted packet.


This is a "feature".  Firewall-1 will allow packets through that appear
to be the middle or end of a conversation (anything after the first packet)
for TCP.  It's supposed to mangle the packet on the way in.  The purpose
of this is to try to determine if the inside machine believes it was in
the middle of that conversation.  This allows for some connections
to remain alive during reboots and restarts of the firewall.

If the inside machine sends a reply that leads the firewall to believe
it's ok, it goes ahead and allocates a state entry and permits the
rest of the conversation.  If it gets a RST or something, it
doesn't.

I don't believe that behavior can be turned off.

                         Ryan

Current thread:

Crafted Packets Handling by Firewalls Ofir Arkin (Jan 19)
- Re: Crafted Packets Handling by Firewalls Aaron D. Turner (Jan 20)
- Re: Crafted Packets Handling by Firewalls Darren Reed (Jan 20)
- <Possible follow-ups>
- Re: Crafted Packets Handling by Firewalls Ryan Russell (Jan 20)
- Re: Crafted Packets Handling by Firewalls Steve . Bleazard (Jan 20)