Firewall Wizards mailing list archives
Re: Crafted Packets Handling by Firewalls
From: Darren Reed <darrenr () reed wattle id au>
Date: Thu, 20 Jan 100 21:57:30 +1100 (EST)
In some email I received from Ofir Arkin, sie wrote: [...]
For example: CheckPoint Firewall-1
[...]
This is known and not new. But why a "state full" firewall does not check for this behavior?
[...] I believe there is a `patch' for the base INSPECT code that was made available last year to change this behaviour. The default mode of operation is to follow state if the usual 3-way TCP handshake is seen. What you're seeing is the result of the product having a fairly agressive timeout on state information and as a result, lets any packet through with the ACK flag set because it might be something it has forgotten about. In doing so, it strips the packet of data (if any) and watches to see if there is a returned ACK or RST packet and either sets up state information or blocks the original packet (respectively) based on the packet received from the internal host. Darren
Current thread:
- Crafted Packets Handling by Firewalls Ofir Arkin (Jan 19)
- Re: Crafted Packets Handling by Firewalls Aaron D. Turner (Jan 20)
- Re: Crafted Packets Handling by Firewalls Darren Reed (Jan 20)
- <Possible follow-ups>
- Re: Crafted Packets Handling by Firewalls Ryan Russell (Jan 20)
- Re: Crafted Packets Handling by Firewalls Steve . Bleazard (Jan 20)