Re: Potential crafted packets vulnerability in firewalls

From:
Date: 11/05/02


Date: 5 Nov 2002 19:58:41 GMT

Joe <joe@jretrading.com> wrote:
> There is an INVALID state test. e.g.:

> iptables -A INPUT -m state --state INVALID -j badpacket

> Are there any invalid flag combinations that this doesn't pick up?

I always thought that the check to see if a packet was ESTABLISHED or
RELATED was more complicated than just checking the tcp flags to see if
they match. Doesn't it also do some sort of check on other fields of the
tcp/ip header?

Also, is INVALID even a list of tcp flags that aren't accepted, or does it
check if it matches ESTABLISHED, NEW, and RELATED first, and if not it is
considered INVALID?

Thanks,
Scott