Re: Clever firewall rules
From: Pete Toscano (pete@research.netsol.com)Date: 09/14/01
- Previous message: Rob 'Feztaa' Park: "Re: Clever firewall rules"
- In reply to: Seth Arnold: "Re: Clever firewall rules"
- Next in thread: Scott Gifford: "Re: Clever firewall rules"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 14 Sep 2001 11:24:19 -0400 From: Pete Toscano <pete@research.netsol.com> To: focus-linux <focus-linux@lists.securityfocus.com> Subject: Re: Clever firewall rules Message-ID: <20010914112419.B1667@tesla.admin.cto.netsol.com>
On Thu, 13 Sep 2001, Seth Arnold wrote:
> > Just drops fragments. I'm not really an expert on this, but I heard that
> > fragments can be used maliciously (in port scans and such) and have little
> > to no valid use nowadays, so I thought it might be smart to block them.
[snip]
> they are still very valid. With many hosts pumping out packets for
> ethernet, then a gateway encapsulating those for ipsec/ssh/vpns/etc,
> packets often get fragmented.
Very good point. I've already encountered problems with some load
balancers not correctly handling fragmented UDP packets. A lot of these
secure protocols (don't forget DNSSEC =) can generate packets > a
machine's MTU.
pete
-- Pete Toscano pete@research.netsol.com 703.948.3364
- application/x-pkcs7-signature attachment: smime.p7s
- Previous message: Rob 'Feztaa' Park: "Re: Clever firewall rules"
- In reply to: Seth Arnold: "Re: Clever firewall rules"
- Next in thread: Scott Gifford: "Re: Clever firewall rules"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
