Be sure that the system is set to assemble fragmented packets. I don't know if ipchains in particular is vulnerable to that problem, but I have heard of other cases where it was possible to fragment a packet so that the TCP flags weren't interpreted by the firewall and allowed to pass through. Also, before you use '! -y', be sure you understand what it does. Since -y triggers on packets that contain a syn and not ack or fin, the opposite of that is a packet that contains fin and ack but not syn. iptables provides much more control over the flags that trigger a rule, but its still fairly new so that may or may not be an option for you. > -----Original Message----- > From: Philip Stoev [mailto:philipat_private] > Subject: Is ipchains -y secure enough? > > Excuse me for the ignorance, but I would like to ask if the community > considers ipchains rules containing the -y flag as secure for > the purpose of > TCP filtering. Such a rule will prevent the stablishment of > TCP connections > to the host being firewalled. Is there a way to curcumvent such a > protection? >
This archive was generated by hypermail 2b30 : Tue Jun 05 2001 - 10:07:49 PDT