Linksys DSL routers and fragments

["C. Regis Wilson" <t_pascal () PC4 ZENNET COM>]

Hi, read a posting from August about the Linksys DSL routers and their
(seeming) security strength.  I wonder if anyone has tried exploiting the
DMZ option; that is, expose a host to the WAN side and see what vulnerabilities
exist.  My initial testing shows that the DMZ option does not work in the
way you think it should, and that there can be some weird behaviour.  I
did notice that all fragments, period, seem to be dropped.  I wonder if Linksys
will fix that...

One interesting thing I found is that the DMZ option does allow exotic protcols
but only if you use the external IP of the router as your internal address!!
Picture this:  external IP=10.0.0.1 internal IP=10.0.0.2 client IP=10.0.0.1.
You'd think the packets would get confused (no known router would allow this
setup), but it works.  And when you set the DMZ host to 10.0.0.1, you can pass
IPSec, protocol 57, GRE, etc. etc.

Anyone notice that?