Firewall Wizards mailing list archives

Re: Firewalls that generate new packets..

From: "Darden, Patrick S." <darden () armc org>
Date: Wed, 28 Nov 2007 09:29:09 -0500




Marcus J. Ranum

Let's take MITM and DOS off the table. No firewall will
protect you against either of those.


I've addressed the MITM and DOS issues.  I don't agree
with you, and I have presented my reasoning.

Does a router with ACL+"established" let unsolicited
RSTs through? I thought that all that got through was
SYN, unless it had an ACK. And to do an RST with
an active connection don't you need the sequence #?
That would require a MITM, right?


Yep, it will.  Any firewall that does not depend on 
tcp sequence #s will allow such an attack.

The hard thing I had to wrap my brain around was the
observation that between a router+ACLs combined
with the state that is held in the TCP stack of the
target, you've got exactly the same thing (and often
quite a bit better!) than a "stateful" firewall.


I respecfully disagree for all the reasons I have outlined
before....  Sum: tcp sequence #s make a difference.

--Patrick Darden
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Re: Firewalls that generate new packets.., (continued)
- - - Re: Firewalls that generate new packets.. Fetch, Brandon (Nov 30)
    - ***SPAM*** Re: Firewalls that generate new packets.. Dave Piscitello (Nov 30)
    - Re: Firewalls that generate new packets.. Patrick M. Hausen (Nov 28)
    - Re: Firewalls that generate new packets.. Paul D. Robertson (Nov 28)
    - Re: Firewalls that generate new packets.. Marcus J. Ranum (Nov 28)
    - Re: Firewalls that generate new packets.. Marcus J. Ranum (Nov 28)
    - Re: Firewalls that generate new packets.. Darden, Patrick S. (Nov 28)
    - Re: Firewalls that generate new packets.. Tina Bird (Nov 27)
    - Re: Firewalls that generate new packets.. J. Oquendo (Nov 28)
    - Re: Firewalls that generate new packets.. Darren Reed (Nov 28)
    - Re: Firewalls that generate new packets.. Darden, Patrick S. (Nov 28)
    - Re: Firewalls that generate new packets.. Darren Reed (Nov 28)
    - Re: Firewalls that generate new packets.. Darden, Patrick S. (Nov 28)
    - Re: Firewalls that generate new packets.. Paul D. Robertson (Nov 28)
    - Re: Firewalls that generate new packets.. Darden, Patrick S. (Nov 29)
    - Re: Firewalls that generate new packets.. Paul D. Robertson (Nov 29)
    - Re: Firewalls that generate new packets.. Darden, Patrick S. (Nov 30)
    - Re: Firewalls that generate new packets.. AMuse (Nov 28)
    - Re: Firewalls that generate new packets.. Marcus J. Ranum (Nov 28)
    - Re: Firewalls that generate new packets.. AMuse (Nov 28)
    - Re: Firewalls that generate new packets.. Patrick M. Hausen (Nov 28)

(Thread continues...)