[ previous ] [ next ] [ threads ]
 From:  Frederick Page <fpage at thebetteros dot oche dot de>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] 1.1 is out!
 Date:  Tue, 24 Aug 2004 14:54:28 +0200
Hallo Fred,

Fred Wright schrieb am 23. August 2004:

>>Maybe a simple (optional) flag "strip DF flag on outgoing packets"

>Aarrgh.  No, no, no.  That would break the cases where PMTUd works
>fine, and force fragmentation on things that are trying to avoid it.

I already had a lengthy answer to PMTU not working, since most
m0n0wall users probably don't have an explicit rule to allow ICMP.
But then I read this:

>The stateful filter automatically passes ICMP errors associated with
>established flows, regardless of rules.

If I had known this, I wouldn't have asked about ICMP and/or the DF
flag, of course my question is totally obsolete now, since everything
is already taken care of ;-)

The official documentation left me with the impression, that
everything gets dropped, which is not explicitly allowed.

>The only effect of blocking or passing ICMP in the rules is to
>determine whether incoming ICMP *requests* (e.g. pings) are accepted.

Gee, the docs sure need some work ;-)

>Fragmentation Needed errors aren't the only useful ones

I know, TTL expired, Source quench, etc. are all useful too. Speaking
of TTL expired: you probably know tools like "firewalker" which attack
with faked TTLs? If m0n0wall accepts ICMP without the admin's
conscent, how secure is it against such tools as hping, nmap, etc.?
What about ACK-storms?

Laurent Joncheray - A Simple Active Attack Against TCP

ACK-Storms and TCP-Hijacking - David Anderson und Brian Teague

>- e.g. the only non-timeout way of determining that a UDP-based
>service isn't available is via ICMP.  And there's traceroute, of

On my linux-firewall I used to reject with "icmp-admin-prohibited" ;-)

Kind regards and thank you for the clarification.