I've just been told that Kerio 2.1.5, which was considered to be the (or one of the) best choice, doesn't "see" (and doesn't intercept...) fragmented packets, and thus wouldn't be efficient toward an attack based on fragmented packets (see below)
In these conditions, which FW can be suggested, which would be simultaneously
- free
- parameterizable
- controlling both IN and OUT (thus, not Win WP FW...)
- efficient (thus, not kerio 2.1.5...)
Thanks for advice
About Kerio issue, this is the very simple test I've been suggested to do... and whose result is a little bit frightening :
- Create a Kerio rule denying all Input ICMP (anwsers to ping request), and put this rule in 1st position
- ping whoever_you_want : no answer. OK.
- ping -l 5000 whoever_you_want : damned, you get answer ! (-l parameter, setting a packet size above MTU obliged ping to fragment)
Even more serious : don't even add any rule, but with systray icon, have the choice "Stop traffic" (or something like that, my own Kerio is in french, and I don't know the exact label in english) Even in this case, "simple" ping doesn't work, but "fragmented" ping does...