Re: broken CRC

[Ed3f <ed3f () antifork org>]

> I read in their changelog that time OpenBSD's pf addressed the issue a
> couple releases ago but haven't heard anything about other systems. Have
> any other firewalls done anything about it? 

PF simply eats packets with a broken checksum.

Netfilter was already working with TCP packets. They fixed UDP soon after:
http://lists.netfilter.org/pipermail/netfilter-devel/2003-January/010139.html

IPFilter 4.x should be fixed too. (This is what Darren Reed told me at that 
time, when 4.0 was not released yet). By the way, some problems were spotted:
http://www.securityfocus.com/bid/6534/discuss

Cisco? I don't know, but I remember this ancient explanation:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_security_notice09186a0080265e37.html



> One potential problem with adding a global CRC option is that nmap doesn't
> use raw sockets everywhere. For instance, FTP bounce scans, anything that
> uses nsock (version detection, for example), etc. It might not always be
> obvious what you can expect to use broken CRC or not.

Well, adding a global variable, or sort of, should not be a great problem. 
Obviously only raw sockets will take advantage of it.



_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev