wolff@BitWizard.nl wrote:
> This is Exactly why that option exists, and why you should turn it off
> (or leave it off, whatever.).
>
> Roger.
>
> fire fire <fire@topor.net> wrote:
> > Glynn Clements wrote:
> >
> > > Duncan Simpson wrote:
> > >
> > > > > That's the kind of questions I'm asking myself
and haven't
[The text cut]
I can't comment on the quality of the Linux 2.0.x IP Filter package,
but I personaly, after reading the following papers (and some others),
I would not leave my inner net *only* protected with IP Filters
, what is acctually the case with IP Masqurading and that "firewall"
some people are talking about. I would not leave my inner net guarded
even with the IP filtering package of Open BSD which looks one of the
best to me, because it takes into account even the flags of the IP
packets.
Postings have been made on BUGTRAQ, even 2 weeks ago for a program which
sends all of the 64 combinations in the IP header options, which in
this way tries to go over your firewall and packet filters....
There are some other examples too....
like the famous Kevin Mitnick et al. who broke into SDSC, especially
if you go and check on www.takedown.com... you'll see that at the time
of brake in they have had *2* IP packet filters... of course probably
without checks for IP spoofing....
But still I suggest reading the papers that exist on the net ..
and especially the 3rd one in this list....:
1. Security Problems in the TCP/IP Protocol Suite
-- S.M. Bellovin then of AT&T
ftp://research.att.com/dist/internet_security/ipext.ps.Z
2. A Weekness in the 4.2 BSD Unix TCP/IP Software
-- R.T. Morris then of AT&T
ftp://research.att.com/dist/internet_security/117.ps.Z
*3.* Network (In)Security Through IP Packet Filtering
-- D. Brent Chapman
ftp://coast.cs.purdue.edu/pub/doc/firewalls/Brent_Chapman_packet_filtering.ps.Z
[mod: I just scanned this article, and it has some good advise. It
also overstresses that some features "would be nice". Those are
standard on Linux. Also section 2.4.4 (fragments) is "outdated". On
Linux you say "always defrag" and the problems raised are solved.
If you don't the problems are even worse than he mentions. -- REW]
On the subject of firewall and IP packet filtering just go
to (and read the whole directory):
ftp://coast.cs.purdue.edu/pub/doc/firewalls/
In case of interest, the source of the IP filter that
OpenBSD uses, are at:(claims it runs under linux 2.0.31 too)
http://cheops.anu.edu.au/~avalon/
But one of the best monitoring tools is tcpdump, its
current version being 3.4, and you need libpcap-0.x, to
work. Both of the packages are ready to download from:
ftp://ftp.ee.lbl.gov/tcpdump.tar.Z
ftp://ftp.ee.lbl.gov/libpcap.tar.Z
ftp://ftp.ee.lbl.gov/tcpslice.tar.Z
The last one is for reading files with live snapshots
from your net, these written by tcpdump, at later times,
when needed.
WARN: untar libpcap where your *current untarred* tcpdump
files lie, in other words under the tcpdump-3.4 directory!
There are other very intersting papers around the net...
all of the above and others can be found at:
www.geek-girl.com
www.cs.purdue.edu/coast/hotlist
and CIAC, CERT, AUSCERT and similar.... so read them carefully ... ;-)))
Yours,
-fire
