Re: Crafted Packets Handling by Firewalls - FW-1 case

From: Darren Reed (avalonat_private)
Date: Thu Jan 20 2000 - 16:39:09 PST

Next message: Morris, Joseph L.: "(no subject)"

Previous message: Ryan Russell: "Re: Some discussion in http-wg ... FW: webmail vulnerabilities: a"
Maybe in reply to: Ofir Arkin: "Crafted Packets Handling by Firewalls - FW-1 case"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

In some mail from Ofir Arkin, sie said:
>
> I will try to focus more on the subject.
>
> FW-1 do accept:  ACK, SYN-ACK, NULL, FIN-ACK  (and more) as valid
> traffic if they match the rule base, even if no connection establishment
> was in progress and no session state was in the firewalls table.
[...]

FW-1's behaviour in this respect has been discussed at length in the
past and last year a patch was released by them for their base INSPECT
code which changed the behaviour to not be this way.  A patch, which
fixes this problem, was made available due to DoS problems.  I believe
this URL will help you:

http://www.checkpoint.com/techsupport/alerts/ackdos.html

Darren

Next message: Morris, Joseph L.: "(no subject)"
Previous message: Ryan Russell: "Re: Some discussion in http-wg ... FW: webmail vulnerabilities: a"
Maybe in reply to: Ofir Arkin: "Crafted Packets Handling by Firewalls - FW-1 case"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:29:36 PDT