RE: Clever firewall rules

From: Matt Block (blockdev@blockdev.net)
Date: 09/16/01


From: "Matt Block" <blockdev@blockdev.net>
To: "'Rob 'Feztaa' Park'" <fezziker@home.com>, "'focus-linux'" <focus-linux@lists.securityfocus.com>
Subject: RE: Clever firewall rules
Date: Sun, 16 Sep 2001 03:20:50 -0400
Message-ID: <006901c13e80$1cd76a20$6400000a@internal.home.blockdev.net>


> -----Original Message-----
> From: Rob 'Feztaa' Park [mailto:fezziker@home.com]
>
> > The biggest reason I would avoid a rule like this is that it means
> > that every time you have a problem connecting to someplace on the
> > Internet, you have to wonder whether their host is down,
> their network
> > is down, or their packets just need to be fragmented along
> the way...I
> > like knowing that when I see outages, they're not on my end. :)
>
> Good point, but fragments are reassembled before they are
> checked, right? So this rule only activates on fragments that
> couldn't be assembled. Fragments that couldn't be assembled
> really shouldn't be trusted, imho, because that means that
> the fragment was manufactured to be a fragment - or the other
> fragments that go with it were lost somewhere - either way
> it's not a good idea to accept them.

Fragments that cannot be reassembled are dropped by the kernel whether
a rule is in place or not. Fragments that are reassembled are not
fragments. I think that this rule cannot ever be matched, if you
have ip_always_defragment (and every stock 2.2.x kernel I've worked
with has, because it is a precondition for IP MASQuerading). As such,
all it does is slow down the traversal of the chain on which it
appears.

If, on the other hand, the kernel isn't reassembling packets before
traversing the chain, this rule will be matched typically by packets
which find themselves fragmented because they pass through routers
which neither the administrator of the firewall box, nor the user
of the client box, control. In this case, it does nothing more than
deny service to the client.

Taking the rule off leaves fragmented packets as an attack vector,
to which Linux is invulnerable. The danger is that Linux might pass
the fragmented packets, still in fragments, backwards to boxes with
less elegantly implemented TCP/IP stacks. Again, this won't occur
in a MASQ situation, so we're really talking about this rule being
useful in the (very) few cases when a Linux machine is used as a
true router, with NAT disabled, for client machines which have lousy
TCP/IP implementations. If this describes your network, probably
you'll have better protection by simply turning on ip_always_defragment.
It will almost certainly be faster, in any case.

  -- Matt