[12206] in bugtraq
Re: BUG: Win NT TCP/IP Security filters does not get enforced
daemon@ATHENA.MIT.EDU (Todd Sabin)
Tue Oct 12 02:03:25 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <m3so3krkxh.fsf@buckaroo.qnz.org>
Date: Sat, 9 Oct 1999 22:47:38 -0400
Reply-To: Todd Sabin <tsabin@BOS.BINDVIEW.COM>
From: Todd Sabin <tsabin@BOS.BINDVIEW.COM>
X-To: Stefan Norberg <stnor@SWEDEN.HP.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: Stefan Norberg's message of "Fri, 8 Oct 1999 19:04:13 +0200"
Stefan Norberg <stnor@SWEDEN.HP.COM> writes:
> Regardless of settings in the TCP/IP Security filters any IP protocol is
> accepted.
>
Not quite, although it is confusing.
> TCP/IP security configuration example:
>
> Permit all TCP ports, Permit all UDP ports, Permit only IP protocols: 6
>
> The easiest way to prove it's broken is to configure it to only allow
> IP-protocol 6 (TCP) and then ping (ICMP) the host. ICMP being IP protocol 1
> of course.
>
> Another simple way to test this is to use Weld Pond's NT-port of Hobbit's
> netcat (http://www.l0pht.com/~weld/netcat/ ) to set up a udp-listener on a
> host that is supposed to block udp. Then use netcat on another host to send
> it a nice message.
>
Apparently, the way it works is that for UDP and TCP, you completely
disable them by changing their setting to "Permit Only", and don't
permit any ports, rather than with the IP protocols box. Since you
left UDP at permit all ports, your netcat test got through.
The IP Protocols box is protocols other than UDP and TCP. Except for
ICMP. You can't disable that at all, as you noticed. Not being able
to disable ICMP was discussed on NTBugtraq a little while ago.
Todd
