[12215] in bugtraq
Re: BUG: Win NT TCP/IP Security filters does not get enforced
daemon@ATHENA.MIT.EDU (Stefan Norberg)
Tue Oct 12 04:39:05 1999
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <000a01bf1322$63e06790$0500000a@hermes>
Date: Sun, 10 Oct 1999 15:21:39 +0200
Reply-To: Stefan Norberg <stnor@SWEDEN.HP.COM>
From: Stefan Norberg <stnor@SWEDEN.HP.COM>
X-To: Todd Sabin <tsabin@bos.bindview.com>
To: BUGTRAQ@SECURITYFOCUS.COM
Todd Sabin writes:
> Apparently, the way it works is that for UDP and TCP, you completely
> disable them by changing their setting to "Permit Only", and don't
> permit any ports, rather than with the IP protocols box. Since you
> left UDP at permit all ports, your netcat test got through.
>
> The IP Protocols box is protocols other than UDP and TCP. Except for
> ICMP. You can't disable that at all, as you noticed. Not being able
> to disable ICMP was discussed on NTBugtraq a little while ago.
>
It seems that you are right.
I used PPTP (GRE) to test it and the RAS server did send an ICMP message
back:
14:49:19.769569 gre-proto-0x880B (gre encap)
14:49:19.769647 RASSERVER > CLIENT: icmp: RASSERVER protocol 47 unreachable
However, I still consider it a bug. The GUI is misleading. If I configure
the TCP/IP security using the GUI to "Permit *only* IP protocols: 6 (TCP)".
Then EVERYTHING including ICMP and UDP (regardless of other settings) should
be denied and NT should send an ICMP unreachable.
/stefan
