On Wed, Feb 23, 2000 at 08:48:29AM -0500, Robert Glover wrote:
> > Robert Glover wrote:
> > > Some wretched soul might send a non-SYN packet at one your open TCP ports as
> > > part of some kind of port scan. The response from that port would tell them
> > > that something is there. If those ports were blocked by the stateful
> > > inspection firewall, then there would be no response.
> > I see. I don't have a lot of experience writing custom IP packets, so
> > what kind of response would a Linux kernel send to a packet without a
> > SYN flag that wasn't part of an established stream?
> I'm not too sure. It would probably reject or discard the packet if the
> sequence numbers didn't match.
There is nothing to match sequence numbers against. If you don't
have a connection (and ordered pair of saddr:sport daddr:dport) then you
don't even get so far as to have sequence numbers to look at.
A packet like that might get a RST back or it might get an
ICMP_DEST_UNREACH ICMP_PORT_UNREACH (if there is nothing listening
on that port) or it might get an ICMP_DEST_UNREACH ICMP_HOST_UNREACH or
ICMP_NET_UNREACH (if the box or subnetwork is off or non-existant). By
analysing the returned error you might gain clues about the existance of
systems and services. It's not very deterministic and not always very
accurate, but it doesn't have to be.
It helps to have a firewall that blocks ICMP packets (all except
for ICMP_DEST_UNREACH ICMP_FRAG_NEEDED which is required for MTU discovery).
That cuts way back on what information they can gather. It also means
that you just broke ping and traceroute and a few other convenient
diagnostic tools. The price you pay.
Another nice tool to have riding on top of a firewall (stateful
or not) is Abacus PortSentry, <www.psionic.com>. Most scans include a
fully connected port scan as part of the scanning. Using PortSentry to
detect those scans, you can shut your firewall against the snooper before
he gets very far. The other types of scans can be detected by PortSentry
as well, but they can also be spoofed to turn PortSentry against you
(although no one has ever seen it actually done). Use it with the
port redirection feature of the IPChains firewall and you can use it
to detect attempts to scan any part of the protected network through the
firewall.
> > I really don't want to sound argumentative... just trying to learn more
> > about TCP. From what you've described, I can see the value of stateful
> > firewalls. Sounds like something that would be very useful to all of us
> > broadband users...
> >
> > Thanks
> > MSG
Mike
--
Michael H. Warfield | (770) 985-6132 | [EMAIL PROTECTED]
(The Mad Wizard) | (770) 331-2437 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
--
To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
as the Subject.
