Firewall Wizards mailing list archives
Re: Firewalls that generate new packets..
From: "Darden, Patrick S." <darden () armc org>
Date: Wed, 28 Nov 2007 09:29:09 -0500
Marcus J. Ranum
Let's take MITM and DOS off the table. No firewall will protect you against either of those.
I've addressed the MITM and DOS issues. I don't agree with you, and I have presented my reasoning.
Does a router with ACL+"established" let unsolicited RSTs through? I thought that all that got through was SYN, unless it had an ACK. And to do an RST with an active connection don't you need the sequence #? That would require a MITM, right?
Yep, it will. Any firewall that does not depend on tcp sequence #s will allow such an attack.
The hard thing I had to wrap my brain around was the observation that between a router+ACLs combined with the state that is held in the TCP stack of the target, you've got exactly the same thing (and often quite a bit better!) than a "stateful" firewall.
I respecfully disagree for all the reasons I have outlined before.... Sum: tcp sequence #s make a difference. --Patrick Darden _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Firewalls that generate new packets.., (continued)
- Re: Firewalls that generate new packets.. Fetch, Brandon (Nov 30)
- ***SPAM*** Re: Firewalls that generate new packets.. Dave Piscitello (Nov 30)
- Re: Firewalls that generate new packets.. Patrick M. Hausen (Nov 28)
- Re: Firewalls that generate new packets.. Paul D. Robertson (Nov 28)
- Re: Firewalls that generate new packets.. Marcus J. Ranum (Nov 28)
- Re: Firewalls that generate new packets.. Marcus J. Ranum (Nov 28)
- Re: Firewalls that generate new packets.. Darden, Patrick S. (Nov 28)
- Re: Firewalls that generate new packets.. Tina Bird (Nov 27)
- Re: Firewalls that generate new packets.. J. Oquendo (Nov 28)
- Re: Firewalls that generate new packets.. Darren Reed (Nov 28)
- Re: Firewalls that generate new packets.. Darden, Patrick S. (Nov 28)
- Re: Firewalls that generate new packets.. Darren Reed (Nov 28)
- Re: Firewalls that generate new packets.. Darden, Patrick S. (Nov 28)
- Re: Firewalls that generate new packets.. Paul D. Robertson (Nov 28)
- Re: Firewalls that generate new packets.. Darden, Patrick S. (Nov 29)
- Re: Firewalls that generate new packets.. Paul D. Robertson (Nov 29)
- Re: Firewalls that generate new packets.. Darden, Patrick S. (Nov 30)
- Re: Firewalls that generate new packets.. AMuse (Nov 28)
- Re: Firewalls that generate new packets.. Marcus J. Ranum (Nov 28)
- Re: Firewalls that generate new packets.. AMuse (Nov 28)
- Re: Firewalls that generate new packets.. Patrick M. Hausen (Nov 28)