Re: Ambiguities in TCP/IP - firewall bypassing
From: cbrenton@slartibartfast.pa.netDate: 10/19/02
- Previous message: Orp 664: "Re: MondoSearch show the source of all files"
- In reply to: Florian Weimer: "Re: Ambiguities in TCP/IP - firewall bypassing"
- Next in thread: Aaron Hopkins: "Re: Ambiguities in TCP/IP - firewall bypassing"
- Next in thread: David Wagner: "Re: Ambiguities in TCP/IP - firewall bypassing"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 19 Oct 2002 13:20:47 -0400 (EDT) From: cbrenton@slartibartfast.pa.net To: Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>
On Sat, 19 Oct 2002, Florian Weimer wrote:
>
> As a result of this bug, it's quite complicated (if not impossible in
> some configurations) to properly filter connection attempts to Linux
> hosts on Cisco IOS routers.
Actually, not really provided you are IOS 11.3 or higher.
> If your access list is a whitelist with a "permit tcp any any
> established" statement somewhere, it's very likely that you can bypass
> the filter just by setting the RST in the initial SYN packet
True, which is why if you are relying on ACL's as your only line of
defense you are better off doing a:
ip access-list extended filterout
permit tcp 219.80.71.0 0.0.0.255 any reflect tcp-state
ip access-list extended filterin
evaluate tcp-state
Yes you will take a bigger performance hit with reflexive filters, but
it's worth it if it's your only line of defense.
HTH,
C
- Previous message: Orp 664: "Re: MondoSearch show the source of all files"
- In reply to: Florian Weimer: "Re: Ambiguities in TCP/IP - firewall bypassing"
- Next in thread: Aaron Hopkins: "Re: Ambiguities in TCP/IP - firewall bypassing"
- Next in thread: David Wagner: "Re: Ambiguities in TCP/IP - firewall bypassing"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
