As long as the PIX takes less than 1/2 a second to process the packet, it is not
breaking the RFC. Remember that the TTL was originally supposed to be seconds not hops.
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Ben Nagy
Sent: Sunday, April 22, 2001 21:31
To: 'Michael Batchelder'
Cc: '[EMAIL PROTECTED]'
Subject: RE: PIX and open ports
[...]
> given some other measures PIX takes to
> try to keep
> a low profile, like not decrementing TTL's in the IP header. But then
> again, that example is really another case of making yourself
> identifiable by trying to make yourself unidentifiable...
> d'oh... double
> irony.
>
> Michael
That's interesting - that should make it virtually impossible to map a PIX
ruleset with hping2 or firewalk (which is good) but it breaks the RFC for IP
routers (which is possibly bad).
(From RFC 791)
"[The IP TTL field] must be decreased at each point that the internet header
is processed to reflect the time spent processing the datagram."
I'm happy with how bridge-mode firewalls work, but the PIX acts as a router,
with all interfaces having an IP address - there's something wrong here...
Cheers,
--
Ben Nagy
Network Security Specialist
Marconi Services Australia Pty Ltd
Mb: +61 414 411 520 PGP Key ID: 0x1A86E304
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
