Penetration Testing mailing list archives
RE: Is ipchains -y secure enough?
From: "Firehose () cavu com" <hose () cavu com>
Date: Sun, 24 Jun 2001 23:52:22 -0400
Be sure that the system is set to assemble fragmented packets. I don't know if ipchains in particular is vulnerable to that problem, but I have heard of other cases where it was possible to fragment a packet so that the TCP flags weren't interpreted by the firewall and allowed to pass through.
Yes, IP Chains can be tricked by fragmented packets if one fails to configure the system to first reassemble fragments. To have a Linux system always defrag (mandatory for firewalls), build the kernel with CONFIG_IP_ALWAYS_DEFRAG set to "Y" (yes). (Taken from pages 357-358 of "Real World Linux Security".
Also, before you use '! -y', be sure you understand what it does. Since -y triggers on packets that contain a syn and not ack or fin, the opposite of that is a packet that contains fin and ack but not syn.
iptables provides much more control over the flags that trigger a rule, but its still fairly new so that may or may not be an option for you.
Yes, but IP Tables does not have major advantages over IP Chains for most people's rule sets. IP Tables *does* make it easier to build statefull firewalls; I expect they will become standard on Linux within a year or so. (There are some statefull firewalls that run on Linux now.) Bob Toxen, CTO Fly-By-Day Consulting, Inc. "Experts in Linux & Unix security" bob () cavu com hose () cavu com [bulk security email] http://www.cavu.com http://www.realworldlinuxsecurity.com/ [My 5* book: Real World Linux Security] Quality Linux & UNIX security and software consulting since 1990.
Current thread:
- Is ipchains -y secure enough? Philip Stoev (Jun 04)
- RE: Is ipchains -y secure enough? Golden_Eternity (Jun 05)
- Re: Is ipchains -y secure enough? Marius Huse Jacobsen (Jun 07)
- <Possible follow-ups>
- RE: Is ipchains -y secure enough? Firehose () cavu com (Jun 24)
- RE: Is ipchains -y secure enough? Golden_Eternity (Jun 05)