Marcus J. Ranum

>Let's take MITM and DOS off the table. No firewall will
>protect you against either of those.

I've addressed the MITM and DOS issues. I don't agree
with you, and I have presented my reasoning.

>Does a router with ACL+"established" let unsolicited
>RSTs through? I thought that all that got through was
>SYN, unless it had an ACK. And to do an RST with
>an active connection don't you need the sequence #?
>That would require a MITM, right?

Yep, it will. Any firewall that does not depend on
tcp sequence #s will allow such an attack.

>The hard thing I had to wrap my brain around was the
>observation that between a router+ACLs combined
>with the state that is held in the TCP stack of the
>target, you've got exactly the same thing (and often
>quite a bit better!) than a "stateful" firewall.

I respecfully disagree for all the reasons I have outlined
before.... Sum: tcp sequence #s make a difference.

--Patrick Darden
firewall-wizards mailing list