[prev in list] [next in list] [prev in thread] [next in thread] 

List:       netfilter
Subject:    Re: [LARTC] Interesting article about punching holes in firewalls...
From:       Torsten Luettgert <t.luettgert () pressestimmen ! de>
Date:       2006-12-25 21:43:05
Message-ID: 1167082986.2358.9.camel () elida ! cbxnet ! de
[Download RAW message or body]

On Do, 2006-12-21 at 08:57 +0100, Carl-Daniel Hailfinger wrote:
> Grant Taylor wrote:
> > I ran across an interesting article
[...]
> This is wrong on so many levels. Please reread the article. Then read
> the source code of your favourite firewalling system. All of those
> "attacks" require cooperation from your side. And if you (or someone
> using the computer you try to protect) are actively cooperating with
> the attacker, "fixing" the firewall should be the least important of
> your problems.

Very true... the described method isn't an "attack", it's just a way to
facilitate connections between two NATed partners.

> I'm still seeing people who absolutely want to deploy the iptables
> UNCLEAN match to "make their network more secure".

This makes me curious: wouldn't UNCLEAN improve security? Afair, the
main argument against UNCLEAN (and grounds for its removal) was that
it broke ECN at some time in the past, and that "something like this
could happen again".

Personally, I like the idea of rejecting anything that violates the
existing standards.

Regards,
Torsten



[prev in list] [next in list] [prev in thread] [next in thread]