RE: Is ipchains -y secure enough?

["Firehose () cavu com" <hose () cavu com>]

> Be sure that the system is set to assemble fragmented packets. I don't know
> if ipchains in particular is vulnerable to that problem, but I have heard of
> other cases where it was possible to fragment a packet so that the TCP flags
> weren't interpreted by the firewall and allowed to pass through.

Yes, IP Chains can be tricked by fragmented packets if one fails to configure
the system to first reassemble fragments.  To have a Linux system always
defrag (mandatory for firewalls), build the kernel with

     CONFIG_IP_ALWAYS_DEFRAG

set to "Y" (yes).  (Taken from pages 357-358 of "Real World Linux Security".

> Also, before you use '! -y', be sure you understand what it does. Since -y
> triggers on packets that contain a syn and not ack or fin, the opposite of
> that is a packet that contains fin and ack but not syn.

> iptables provides much more control over the flags that trigger a rule, but
> its still fairly new so that may or may not be an option for you.

Yes, but IP Tables does not have major advantages over IP Chains for most
people's rule sets.  IP Tables *does* make it easier to build statefull
firewalls; I expect they will become standard on Linux within a year or so.
(There are some statefull firewalls that run on Linux now.)

Bob Toxen, CTO
Fly-By-Day Consulting, Inc.       "Experts in Linux & Unix security"
bob () cavu com
hose () cavu com [bulk security email]
http://www.cavu.com
http://www.realworldlinuxsecurity.com/ [My 5* book: Real World Linux Security]
Quality Linux & UNIX security and software consulting since 1990.