Shorewall users - Sep 2003 - Shorewall Features

Hello!

Shorewall protects again the following attacks?

Attack Protection: 
. IP Spoofing: Sending packets over the WAN interface using an internal LAN IP
address as the source address.
. Tear Drop: Sending packets that contain overlapping fragments.
. Smurf and Fraggle: Sending packets that use the WAN or LAN IP broadcast
address as the source address.
. Land Attack: Sending packets that use the same address as the source and
destination address.
. Ping of Death: Illegal IP packet length.

.DoS Protection:
. SYN DoS
. ICMP DoS
. Per-host DoS protection

Thanks!

Jefferson

On Thu, 2003-09-25 at 09:20, Jeff wrote:
> Hello!
> 
> Shorewall protects again the following attacks?
> 
> Attack Protection: 
> . IP Spoofing: Sending packets over the WAN interface using an internal LAN
IP address as the source address.
Yes.
> . Tear Drop: Sending packets that contain overlapping fragments.
That is the responsibility of the IP stack, not the iptables-based
firewall since fragment reassembly occurs before the stateful packet
filter ever sees the packet.
> . Smurf and Fraggle: Sending packets that use the WAN or LAN IP broadcast
address as the source address.
Can do although it''s not part of the default
configuration.
> . Land Attack: Sending packets that use the same address as the source and
destination address.
If ''routefilter'' is selected, yes.
> . Ping of Death: Illegal IP packet length.
IP Stack does that. Additional invalid packet filtering is currently
available in Shorewall although that support will be removed in a future
release.
> 
> .DoS Protection:
> . SYN DoS 
> . ICMP DoS
> . Per-host DoS protection
> 
Any rule or policy in Shorewall can be rate-limited.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net