Re: Is ipchains -y secure enough?

["Marius Huse Jacobsen" <mahuja () c2i net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> > Excuse me for the ignorance,

Better ask than stay ignorant :)

> > but I would like to ask if the community
> > considers ipchains rules containing the -y flag as secure for
> > the purpose of
> > TCP filtering. Such a rule will prevent the establishment of
> > TCP connections
> > to the host being firewalled. Is there a way to circumvent such a
> > protection?

> Be sure that the system is set to assemble fragmented packets. I
> don't know if ipchains in particular is vulnerable to that problem,
> but I have heard of other cases where it was possible to fragment a
> packet so that the TCP flags weren't interpreted by the firewall
> and allowed to pass through.

Ipchains too. I don't know if they fixed it for the latest
version(s).
I believe the fragrouter program demonstrated it?

AFAIR, the tcp header could, after being reviewed by ipchains as good
(e.g. normal packet from port 80 to port 2305), be accepted, with
fragmentation later overwriting the header so the target receives a
packet (say, syn port 40389 to port 25)  Possibly the changes
possible were even more limited than this.

This would however, depend on fragmentation handling on the target
computer. And, it would not work if you set the box to reassemble all
packets passing through.

> iptables provides much more control over the flags that trigger a
> rule, but its still fairly new so that may or may not be an option
> for you.

There was a security hole in the ftp extension to it - an attacker
could make the firewall expect (accept) a connection.



-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.1

iQA/AwUBOx+j9qiljHbgv3neEQJUBgCfSesL97ySz39eVlRxumZxHfPtUkEAnRc+
xIJd+rdR5kLRzk2SkJfBI3xY
=C95T
-----END PGP SIGNATURE-----



Don't look at computer security as a cage, but as a shield.