| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: michael at bluesuperman.com (Michael Gale)
Subject: A new TCP/IP blind data injection technique?
Hello,
Well first of all, one of the industry leading firewalls (
BorderWare Firewall Server ) does NOT pass fragmented packets.
Also netfilter / iptables has the following optio:
[!] -f, --fragment
This means that the rule only refers to second and further
fragments of fragmented packets. Since there is no way
to tell the source or destination ports of such a packet (or ICMP type),
such a packet will not match any rules which specify them.
When the "!" argument precedes the "-f" flag, the rule will
only match head fragments, or unfragmented packets.
I have a rule at the beginning:
iptables -A INPUT -f -j DROP
So all my firewall boxes and any I have setup for other companies DROP
fragmented packets.
Michael.
On Sun, 14 Dec 2003 10:24:55 +0100 (CET)
Michal Zalewski <lcamtuf@...ttot.org> wrote:
> On Sat, 13 Dec 2003, Michael Gale wrote:
>
> > Well then .. I am happy that non of the firewalls I use accept or
> > pass fragments packets.
>
> I would be willing to assume you are confused. Can you provide any
> references that would confirm this observation?
>
> --
> ------------------------- bash$ :(){ :|:&};: --
> Michal Zalewski * [http://lcamtuf.coredump.cx]
> Did you know that clones never use mirrors?
> --------------------------- 2003-12-14 10:24 --
>
> http://lcamtuf.coredump.cx/photo/current/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists