Dans un message du 28 Feb � 18:15, Maciej Soltysiak �crivait :
> I belive there would be only one reason to send 'unclean' udp packets and
> that would be to map a network behind a non rfc1318 compliant router.
hmm, RFC1318 is "Definitions of Managed Objects for
Parallel-printer-like Hardware Devices". I guess you meant RFC1812.
> If i am not mistaken Guillame Morin's Unclean match, matches
> bad TCP flags, various checksums of TCP/UDP/ICMP/IP traffic, header
> lengths, and so on.
ipt_unclean does indeed this kind of things, but I am not the original
author (Thanks anyway) :-)
> The best way to handle UDP traffic would be to block it as soon as
> possible on all ports without, say 53 and 123 (if you use ntp)
>
> Currently every good firewall blocks udp completely or almost completely
> (allowing udp to DNS only),
> and that makes UDP Scans virtually useless.
That is true. Good firewall should allow these packets only from well
known adresses (udp spoofing is trivial, but the attacker will have to
find those).
Furthermore, afaik UDP DNS answers should be _very_ rarely not matched
by a --state ESTABLISHED rule. Then you could not even authorize those
packets.
--
Guillaume Morin <[EMAIL PROTECTED]>
N'oublie pas ton sourire pour ce soir si tu sors
(Noir D�sir)
