I''ve recently installed shorewall, because I introduced a DMZ to my home network, and I was having trouble figuring how to get iptables to do what I want. Shorewall made it very easy, and very clear to me. So first off, thanks. Secondly, I have a question. I had a friend run Nessus against my system. It reported the following -- ---start--- *Vulnerability found on port ssh (22/tcp)* The remote host seems to generate Initial Sequence Numbers (ISN) in a weak maner which seems to solely depend on the source and dest port of the TCP packets. The Raptor Firewall is known to be vulnerable to this flaw, as may others be. An attacker may use this flaw to establish spoofed connections to the remote host. Solution : If you are using a Raptor Firewall, see http://www.symantec.com/techsupp/bulletin/archive/firewall/082002firewall.html or else contact your vendor for a patch Risk factor : High ---end--- 1) Could Shorewall be contributing this problem? I don''t understand what the role of a firewall is in generating ISNs. 2) Does shorewall implicitly defend against spoofing? Thanks. David
--On Wednesday, November 20, 2002 09:01:55 PM -0500 David Corbin <dcorbin@machturtle.com> wrote:> > Risk factor : High > ---end--- > 1) Could Shorewall be contributing this problem? I don''t understand what > the role of a firewall is in generating ISNs. 2) Does shorewall > implicitly defend against spoofing? >No and No. ISNs are strictly the responsibility of the Linux TCP stack. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://shorewall.sf.net ICQ: #60745924 \ teastep@shorewall.net
--On Wednesday, November 20, 2002 06:50:13 PM -0800 Tom Eastep <teastep@shorewall.net> wrote:> > > --On Wednesday, November 20, 2002 09:01:55 PM -0500 David Corbin > <dcorbin@machturtle.com> wrote: > >> >> Risk factor : High >> ---end--- >> 1) Could Shorewall be contributing this problem? I don''t understand what >> the role of a firewall is in generating ISNs. 2) Does shorewall >> implicitly defend against spoofing? >> > > No and No. ISNs are strictly the responsibility of the Linux TCP stack. >Now that I think of it, I''m not sure that this is a TCP stack issue -- it may be the version of sshd that you are using. As to the question of spoofing -- Shorewall DOES protect against some forms of spoofing but doesn''t not have anything to do with spoofing based on ISNs. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://shorewall.sf.net ICQ: #60745924 \ teastep@shorewall.net
--On Wednesday, November 20, 2002 07:19:11 PM -0800 Tom Eastep <teastep@shorewall.net> wrote:> > ... but doesn''t not have anything to do with .... >Hmmmm - that was elequent... -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://shorewall.sf.net ICQ: #60745924 \ teastep@shorewall.net
--On Wednesday, November 20, 2002 07:19:11 PM -0800 Tom Eastep <teastep@shorewall.net> wrote:> > Now that I think of it, I''m not sure that this is a TCP stack issue -- it > may be the version of sshd that you are using. >After reading the article at Symantec.com, I find that I was right the first time -- the ISN is assigned by the TCP stack. This isn''t something that Shorewall has any control over... -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://shorewall.sf.net ICQ: #60745924 \ teastep@shorewall.net
That''s kind of what I figured. I''m running Linux kernel 2.4.19, so I''d assume many people would have this problem. Tom Eastep wrote:> > > --On Wednesday, November 20, 2002 07:19:11 PM -0800 Tom Eastep > <teastep@shorewall.net> wrote: > >> >> Now that I think of it, I''m not sure that this is a TCP stack issue >> -- it >> may be the version of sshd that you are using. >> > > After reading the article at Symantec.com, I find that I was right the > first time -- the ISN is assigned by the TCP stack. This isn''t > something that Shorewall has any control over... > > -Tom > -- > Tom Eastep \ Shorewall - iptables made easy > AIM: tmeastep \ http://shorewall.sf.net > ICQ: #60745924 \ teastep@shorewall.net > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@shorewall.net > http://www.shorewall.net/mailman/listinfo/shorewall-users >