Mailinglist Archive: opensuse-security (192 mails)

< Previous Next >
Re: [suse-security] IPChains
  • From: Steffen Dettmer <steffen@xxxxxxx>
  • Date: Sun, 28 May 2000 18:07:22 +0200
  • Message-id: <20000528180722.D4977@xxxxxxxxx>
* Gerhard Sittig wrote on Sat, May 27, 2000 at 22:18 +0200:
> On Sat, May 27, 2000 at 18:18 +0200, Steffen Dettmer wrote:
> > * Gerhard Sittig wrote on Sat, May 27, 2000 at 11:09 +0200:
> > Do you know what happens to the payload of such packets? May
> > the be used like in icmp echo request packets?
> AFAIK the ping tunnel uses the variable length payload to contain
> the data (which is usually just stuffed when you use the -s
> switch).

Yepp, in the payload of the packets. Should work with all ICMP
Messages I think.

> And nobody seems to care about echo requests and
> replies. I'm not sure wether the above icmp packet types have
> room for these things or if they just get truncated right after
> the header.

I cannot imagine that a ordinary router would modify packets in
such a way! Of course, the target machine would ignore it
usually, but it seems no problem to write a piece of code that
could get the data out of this ping (or whatever) stream. I saw a
program doing that IIRC, fraq router or something like this

> > BTW: if a firewall rejects echo request (with comm adm.
> > prohibited), ordinary ping shows normal output, but of course
> > even if the pinged host is down.
> There's always the choice between rejection and denial. :)

Yes, but of course this makes the difference. I talked about
rejects only.

> BTW I'm aware of the fact that denied packets "reveal" there's
> some kind of filter in between, attracting the kids like locked
> doors to forbidden rooms ...

Why should this happen? I would assume, that kids would think
they hit a machine that is currently down or unused IP/DNS Name.
I usually don't use packet deny but reject. Since all packets
become rejected, and ICMPs become generated, I cannot imagine
what could attract some kids or whoever. They see a firewall
only, not more.

> > Additionally it seems to be possible to block fragmentated
> > ICMPs always, since usually those packets are very small,
> > ain't? (Comments?)
> Any decent firewall (or even the TCP stack) should drop corrupted
> and malformed packets even before the header fields are looked at
> and used to base decisions upon.

Are you sure, that a fragmentated ICMP is corrupt always? Maybe
there are some ways/nets with a very small MTU?

> It's mad enough that the fw
> rules act on behalf of data anyone untrusted delivers to you you
> actually try to defend against.

But there's no information in a packet you could trust usually!
Of course you could use IPSec only, but even in this case you
need an open port 500 for keyexchange of course.



Dieses Schreiben wurde maschinell erstellt,
es trägt daher weder Unterschrift noch Siegel.

< Previous Next >