Mailinglist Archive: opensuse-security (192 mails)

< Previous Next >
Re: [suse-security] IPChains
  • From: Steffen Dettmer <steffen@xxxxxxx>
  • Date: Sun, 28 May 2000 18:07:22 +0200
  • Message-id: <20000528180722.D4977@xxxxxxxxx>
* Gerhard Sittig wrote on Sat, May 27, 2000 at 22:18 +0200:
> On Sat, May 27, 2000 at 18:18 +0200, Steffen Dettmer wrote:
> > * Gerhard Sittig wrote on Sat, May 27, 2000 at 11:09 +0200:
> > Do you know what happens to the payload of such packets? May
> > the be used like in icmp echo request packets?
>
> AFAIK the ping tunnel uses the variable length payload to contain
> the data (which is usually just stuffed when you use the -s
> switch).

Yepp, in the payload of the packets. Should work with all ICMP
Messages I think.

> And nobody seems to care about echo requests and
> replies. I'm not sure wether the above icmp packet types have
> room for these things or if they just get truncated right after
> the header.

I cannot imagine that a ordinary router would modify packets in
such a way! Of course, the target machine would ignore it
usually, but it seems no problem to write a piece of code that
could get the data out of this ping (or whatever) stream. I saw a
program doing that IIRC, fraq router or something like this
IIRC...

> > BTW: if a firewall rejects echo request (with comm adm.
> > prohibited), ordinary ping shows normal output, but of course
> > even if the pinged host is down.
>
> There's always the choice between rejection and denial. :)

Yes, but of course this makes the difference. I talked about
rejects only.

> BTW I'm aware of the fact that denied packets "reveal" there's
> some kind of filter in between, attracting the kids like locked
> doors to forbidden rooms ...

Why should this happen? I would assume, that kids would think
they hit a machine that is currently down or unused IP/DNS Name.
I usually don't use packet deny but reject. Since all packets
become rejected, and ICMPs become generated, I cannot imagine
what could attract some kids or whoever. They see a firewall
only, not more.

> > Additionally it seems to be possible to block fragmentated
> > ICMPs always, since usually those packets are very small,
> > ain't? (Comments?)
>
> Any decent firewall (or even the TCP stack) should drop corrupted
> and malformed packets even before the header fields are looked at
> and used to base decisions upon.

Are you sure, that a fragmentated ICMP is corrupt always? Maybe
there are some ways/nets with a very small MTU?

> It's mad enough that the fw
> rules act on behalf of data anyone untrusted delivers to you you
> actually try to defend against.

But there's no information in a packet you could trust usually!
Of course you could use IPSec only, but even in this case you
need an open port 500 for keyexchange of course.

oki,

Steffen

--
Dieses Schreiben wurde maschinell erstellt,
es trägt daher weder Unterschrift noch Siegel.

< Previous Next >