Firewall Wizards mailing list archives
Re: Crafted Packets Handling by Firewalls
From: "Ryan Russell" <Ryan.Russell () sybase com>
Date: Wed, 19 Jan 2000 11:06:59 -0800
For example: CheckPoint Firewall-1 Assume port 80 is open to the www server. It lets a SYN-ACK packet go throw when no SYN was first sent from the probing host. SYN-ACK is not the only example, SYN-FIN, RST , FIN, FIN-ACK basically any TCP flag crafted packet.
This is a "feature". Firewall-1 will allow packets through that appear to be the middle or end of a conversation (anything after the first packet) for TCP. It's supposed to mangle the packet on the way in. The purpose of this is to try to determine if the inside machine believes it was in the middle of that conversation. This allows for some connections to remain alive during reboots and restarts of the firewall. If the inside machine sends a reply that leads the firewall to believe it's ok, it goes ahead and allocates a state entry and permits the rest of the conversation. If it gets a RST or something, it doesn't. I don't believe that behavior can be turned off. Ryan
Current thread:
- Crafted Packets Handling by Firewalls Ofir Arkin (Jan 19)
- Re: Crafted Packets Handling by Firewalls Aaron D. Turner (Jan 20)
- Re: Crafted Packets Handling by Firewalls Darren Reed (Jan 20)
- <Possible follow-ups>
- Re: Crafted Packets Handling by Firewalls Ryan Russell (Jan 20)
- Re: Crafted Packets Handling by Firewalls Steve . Bleazard (Jan 20)