Is ipchains -y secure enough?

From: Philip Stoev (philipat_private)
Date: Mon Jun 04 2001 - 07:57:00 PDT

  • Next message: Read, Greg: "RE: IIS & w2k"

    Excuse me for the ignorance, but I would like to ask if the community
    considers ipchains rules containing the -y flag as secure for the purpose of
    TCP filtering. Such a rule will prevent the stablishment of TCP connections
    to the host being firewalled. Is there a way to curcumvent such a
    protection?
    
    I am mostly interested if direct attacks (as if there is no firewall rule at
    all) are possible. I know that if there is a broken proxy server or a web
    interface or something else that can be used as a launch pad, such filters
    may not help. However, what can an attacker do to a filtered service if no
    other vulnerable or insecure service exists?
    
    We assume that there are no UDP services running on the machine being
    firewalled (as -y filters do not apply to those) and that the TCP/IP stacks
    are stable enough (no DoS conditions, floods, etc.).
    
    Yes, I know that port scanners can bypass -y filters and still map the host
    being firewalled, however is there more that can be done against such a
    host?
    
    Thanks in advance.
    
    Philip
    



    This archive was generated by hypermail 2b30 : Mon Jun 04 2001 - 10:16:23 PDT