RE: Clever firewall rules

From: Matt Block (blockdev@blockdev.net)
Date: 09/16/01


From: "Matt Block" <blockdev@blockdev.net>
To: "'Rob 'Feztaa' Park'" <fezziker@home.com>, "'focus-linux'" <focus-linux@lists.securityfocus.com>
Subject: RE: Clever firewall rules
Date: Sun, 16 Sep 2001 03:20:50 -0400
Message-ID: <006901c13e80$1cd76a20$6400000a@internal.home.blockdev.net>


> -----Original Message-----
> From: Rob 'Feztaa' Park [mailto:fezziker@home.com]
>
> > The biggest reason I would avoid a rule like this is that it means
> > that every time you have a problem connecting to someplace on the
> > Internet, you have to wonder whether their host is down,
> their network
> > is down, or their packets just need to be fragmented along
> the way...I
> > like knowing that when I see outages, they're not on my end. :)
>
> Good point, but fragments are reassembled before they are
> checked, right? So this rule only activates on fragments that
> couldn't be assembled. Fragments that couldn't be assembled
> really shouldn't be trusted, imho, because that means that
> the fragment was manufactured to be a fragment - or the other
> fragments that go with it were lost somewhere - either way
> it's not a good idea to accept them.

Fragments that cannot be reassembled are dropped by the kernel whether
a rule is in place or not. Fragments that are reassembled are not
fragments. I think that this rule cannot ever be matched, if you
have ip_always_defragment (and every stock 2.2.x kernel I've worked
with has, because it is a precondition for IP MASQuerading). As such,
all it does is slow down the traversal of the chain on which it
appears.

If, on the other hand, the kernel isn't reassembling packets before
traversing the chain, this rule will be matched typically by packets
which find themselves fragmented because they pass through routers
which neither the administrator of the firewall box, nor the user
of the client box, control. In this case, it does nothing more than
deny service to the client.

Taking the rule off leaves fragmented packets as an attack vector,
to which Linux is invulnerable. The danger is that Linux might pass
the fragmented packets, still in fragments, backwards to boxes with
less elegantly implemented TCP/IP stacks. Again, this won't occur
in a MASQ situation, so we're really talking about this rule being
useful in the (very) few cases when a Linux machine is used as a
true router, with NAT disabled, for client machines which have lousy
TCP/IP implementations. If this describes your network, probably
you'll have better protection by simply turning on ip_always_defragment.
It will almost certainly be faster, in any case.

  -- Matt



Relevant Pages

  • RE: IDSIPS that can handle one Gig
    ... devices through use of fragments. ... traffic, an attack can spread itself across multiple packets, which all get ... and totally abused by most vendors on their ... Find out quickly and easily by testing it with real-world attacks from ...
    (Focus-IDS)
  • RE: IDSIPS that can handle one Gig
    ... make "any sense in real world security policy". ... devices through use of fragments. ... traffic, an attack can spread itself across multiple packets, which all ... Find out quickly and easily by testing it with real-world attacks from ...
    (Focus-IDS)
  • Re: dummynet dropping too many packets
    ... injection of packets by dummynet to attempt to reduce the peaks of burstiness that occur when multiple queues inject packets in a burst that exceeds the queue depth supported by combined hardware descriptor rings and software transmit queue. ... That said, in your configuration I see little argument for a lower timer rate: you need to burst packets at frequent intervals or risk overfilling queues, and the overheads of additional timer tickets on your system shouldn't be too bad as you have both very fast hardware and a lot of idle time. ... 147 fragments dropped ...
    (freebsd-net)
  • panic: sched_priority: invalid priority 2906: nice 0, ticks 122865664 ftick 516947 ltick 517947 tick
    ... 21240 data packets ... discarded for bad header offset fields ... connections established ... fragments dropped ...
    (freebsd-current)
  • Re: Question Regarding Firewall Settings on Linksys Gateway-Router
    ... > and enabling Block Anonymous Internet Requests, ... > Fragmented IP Packets, and Filter Multicast? ... fragments will block the application. ... Multicast is the same category. ...
    (comp.security.firewalls)