On Sun, 2002-05-05 at 11:55, shef-lug-admin [at] list.sheflug.org.uk wrote: > >you can fool the firewall into thinking that the incoming connection is > >related to an existing one, then you've got your way around the > >firewall. > Like opening a connection - using say irc - and then passing special > packets ..? Kind of. Active ftp is the most fun one - if you can provoke an internal ftp connection going out to a site (IE exploit?), or you can fool ipchains/tables into thinking the incoming connection is related to an existing ftp connection, you can connect to any machine on the internal network, for example. > Re "unroutableness" of RFC 1918 ip addresses. I imagine that most Internet > routers would drop packets destined to and from those ranges. Though I > notice Blueyonder uses a 10.x.y.z address for its internal dhcp servers - is > this standard practice for isp's and network carriers ..? Only intelligent routers tend to drop those packets. For example, do a tracepath to some 'private' address - I tried 10.0.0.1. I got seven hops before it stopped routing. It actually got all the way to Telehouse. > Re that sort of thing. How does the order of the rule sets work in > iptables. Top to bottom. > I'm trying to portforward some services and would like internal > clients to use the same address as external clients. Not going to work; don't even bother. Use a split DNS system to provide internal addresses to internal clients and external addresses to external clients. Cheers, Alex. PS - Richard - the mailing list appears to be screwing the From: address. Can we get this fixed? Thanks!
Attachment:
signature.asc
Description: This is a digitally signed message part