> -----Original Message-----
> From: Mikael Olsson [mailto:[EMAIL PROTECTED]]
> Sent: Friday, 28 July 2000 9:52 PM
> To: Ben Nagy
> Cc: 'Bernd Eckenfels'; [EMAIL PROTECTED]
> Subject: Re: cisco Established keyword
>
>
>
>
> Ben Nagy wrote:
> >
[stuff]
And Mike wrote:
> I hope you realize that it looks like you're describing FW-1 here.
Which is why I prepended the whole thing with "I don't know jack about
FW-1". C'mon, Mike. Sheesh.
> I'm not sure if that's what you intended, but for fw-1, it's pretty
> much "dead wrong". FW-1 doesn't care jack about sequence numbers.
> For all I know, you could shoot any application level command through
> it by sending overlapping segments that rewrite the result at the
> receiving host.
All I was saying is that if control channel commands that a FW cares about
are fragmented and out of order then the only way the FW can do anything
sensible with those is to reassemble them. To reassemble them it needs
sequence numbers.
I have a hard time believing, for example, that if you send an outgoing FTP
PORT command, fragmented, that FW-1 will not reassemble it to find out what
hole to whack in the state table. If it is stupid enough not to care about
inbound command inspection then that's FW-1's problem.
>
[snip]
>
> (Note: we're talking vanilla fw-1 here. I don't have a single clue
> what happens in its "security servers", other than having seen
> posts where people claim that they are simply proxies rebranded
> so that fw-1 wouldn't have to be associated with such technology :)
The "security servers" are the userspace inspection module thingies, aren't
they? If that's the case then are you suggesting that FW-1 breaks the data
out to proxy applications for inspection in a manner _different_ to the one
I described? ;)
>
> --
> Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 �RNSK�LDSVIK
> Obviously having a "grumpy" day
Cheers,
--
Ben Nagy
Network Consultant, Volante IT
PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
