[KLUG Members] Re: Shorewall.log file analysis help

Peter Buxton members@kalamazoolinux.org
Tue, 26 Aug 2003 06:30:40 -0400

Previous message: [KLUG Members] Re: Shorewall.log file analysis help
Next message: [KLUG Members] Re: Shorewall.log file analysis help
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Aug 25, 2003 at 03:27:39PM -0500, Bob Kanaley was only escaped
   alone to tell thee:

> In the firewall log file entry I broke down, the incoming ftp packet
> was dropped at the external interface. But the packet did have to be
> read by the firewall to know that it should be dropped. From what I
> have read, carefully crafted packets seem to be the vector used to
> exploit many vulnerabilities.  If reading a packet containing
> malicious data in an IP header field can cause a buffer over run, I
> suspect my firewall could be compromised.

TCP/UDP/ICMP/IGMP over IP is built for simplicity. Because they are so
widely and commonly used, the protocol stacks tend to be hardier than
the applications using them. Thus, you would be more accurate to say
that Code Red, e.g., sends carefully crafted HTTP 1.0 messages over IP
packets. The packets themselves are rarely the vector; you have to trust
the kernel to drop misformed packets.

Your server can't know the port number of any packet without accepting
that packet first. If Linux has a TCP/IP stack vulnerability, we'll all
find out very quickly, as every server, let alone firewall, with that
kernel bug will be in danger.

-- 
-24
Holding your drinking to a schedule is always the
first sign of alcoholism. -- Christopher Hitchens

Previous message: [KLUG Members] Re: Shorewall.log file analysis help
Next message: [KLUG Members] Re: Shorewall.log file analysis help
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]