[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: using por numbers in selectors
> Fine, the first fragment containing the upper-level protocol header may have
> gone a different route. However, if you let the rest of the
> fragments through as a result, I'd argue you have a security hole.
I don't think this is a major issue.
If you're allowing fragments through *at all*, and if you're allowing
packets through based on transport protocol and port number, that
implies a minimal level of trust in the end systems inside the
firewall (to correctly implement reassembly, and to correctly
implement services on the ports being let through).
- Bill