[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] DoS question

To: Alan.Trevillion@bankofamerica.com
Subject: Re: [FW1] DoS question
From: Lance Spitzner <lance@stan.ksni.net>
Date: Tue, 7 Sep 1999 09:35:25 -0500 (CDT)
Cc: fw-1-mailinglist@lists.us.checkpoint.com

On Tue, 7 Sep 1999 Alan.Trevillion@bankofamerica.com wrote:

> But if you send a packet with the SYN and ACK bit set, could you not fool the
> firewall into thinking that it was a repy ? , hence my question about the
> reverse rule.

Let's say you only have 1 rule in your rule base:

A can talk to B.

This means A can initiate a connection to B, but B cannot initiate 
a connection to A.  When A sends its first packet to B initiating
the connection, FW-1 looks to see if the session is allowed.  Based
on our single rule above, it is allowed, so the packet goes through
and the session is built in the connections table, with a timeout
limit.  This now means that B can send whatever packets it wants 
to A during that time out, as long as both source/dest IPs and 
source/dest ports match up.

Now, if there is no session in the connections table, B cannot
send any packets to A, regardless of the make and model.  The
only way B can ever send packets to A is if:

1.  A has already sent a packet to B, building a connections table.

2.  You add a new rule allowing B to talk to A

Hope that helps ...

Lance Spitzner
http://www.enteract.com/~lspitz/papers.html

================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: [FW1] Remove the Firewall-1's module ... ?
Next by Date: [FW1] SecuRemote server capacity
Prev by thread: Re: [FW1] DoS question
Next by thread: Re: [FW1] DoS question
Index(es):
- Date
- Thread