Firewall Wizards mailing list archives

Re: Crafted Packets Handling by Firewalls

From: Darren Reed <darrenr () reed wattle id au>
Date: Thu, 20 Jan 100 21:57:30 +1100 (EST)

In some email I received from Ofir Arkin, sie wrote:
[...]

For example: CheckPoint Firewall-1

[...]

This is known and not new. But why a "state full" firewall does 
not check for this behavior?

[...]

I believe there is a `patch' for the base INSPECT code that was made
available last year to change this behaviour.

The default mode of operation is to follow state if the usual 3-way
TCP handshake is seen.

What you're seeing is the result of the product having a fairly agressive
timeout on state information and as a result, lets any packet through with
the ACK flag set because it might be something it has forgotten about.  In
doing so, it strips the packet of data (if any) and watches to see if there
is a returned ACK or RST packet and either sets up state information or
blocks the original packet (respectively) based on the packet received from
the internal host.

Darren

Current thread:

Crafted Packets Handling by Firewalls Ofir Arkin (Jan 19)
- Re: Crafted Packets Handling by Firewalls Aaron D. Turner (Jan 20)
- Re: Crafted Packets Handling by Firewalls Darren Reed (Jan 20)
- <Possible follow-ups>
- Re: Crafted Packets Handling by Firewalls Ryan Russell (Jan 20)
- Re: Crafted Packets Handling by Firewalls Steve . Bleazard (Jan 20)