[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sheflug] Re: Iptables

To: shef-lug [at] xxxxxxxxxxxxxxxxxxx
Subject: Re: [Sheflug] Re: Iptables
From: xxxxx [at] xxxxxxxxxxxxxxxxxxx
Date: Sun, 5 May 2002 13:52:10 +0100
Envelope-to: <shef-lug [at] list.sheflug.org.uk>
List-help: <mailto:shef-lug-request [at] list.sheflug.org.uk?subject=help>
List-id: Sheflug <shef-lug.list.sheflug.org.uk>
List-post: <mailto:shef-lug [at] list.sheflug.org.uk>
List-subscribe: <http://community.uklinux.net/mailman/listinfo/shef-lug>,<mailto:shef-lug-request [at] list.sheflug.org.uk?subject=subscribe>
List-unsubscribe: <http://community.uklinux.net/mailman/listinfo/shef-lug>,<mailto:shef-lug-request [at] list.sheflug.org.uk?subject=unsubscribe>
Reply-to: shef-lug [at] xxxxxxxxxxxxxxxxxxx
Sender: shef-lug-admin [at] xxxxxxxxxxxxxxxxxxx

On 05 May 2002 12:44:48 +0100
shef-lug-admin@list.sheflug.org.uk wrote:

> On Sun, 2002-05-05 at 11:55, shef-lug-admin [at] list.sheflug.org.uk wrote:
> > >you can fool the firewall into thinking that the incoming connection
> > >is related to an existing one, then you've got your way around the
> > >firewall.
> > Like opening a connection  - using say irc - and then passing special
> > packets ..?
> 
> Kind of. Active ftp is the most fun one - if you can provoke an internal
> ftp connection going out to a site (IE exploit?), or you can fool
> ipchains/tables into thinking the incoming connection is related to an
> existing ftp connection, you can connect to any machine on the internal
> network, for example.

You need to block all incoming connections unless you're specifically
running internet-accessible services. Active ftp deserves to die a quiet
and long overdue death, all ftp clients should be configured to use
passive ftp. Any services that need to open ports on the client are a big
security hole, and their usefulness should be reviewed.

> > Re "unroutableness" of RFC 1918 ip addresses.  I imagine that most
> > Internet routers would drop packets destined to and from those ranges.
> >  Though I
> > notice Blueyonder uses a 10.x.y.z address for its internal dhcp
> > servers - is this standard practice for isp's and network carriers ..?

It means they don't have to use a public IP address for their server that
they can sell to a paying customer... I would say using an RFC1918 address
would keep their DHCP servers 'destination unreachable' and hence private
from the rest of the internet, but see below.

> Only intelligent routers tend to drop those packets. For example, do a
> tracepath to some 'private' address - I tried 10.0.0.1. I got seven hops
> before it stopped routing. It actually got all the way to Telehouse.

That's disgraceful. I tried it myself (after changing my firewall to let
the packets out) and got the same result. It's not the outgoing packets
that are the problem, it's the fact that theoretically someone between the
ISP and Telehouse could spoof as an RFC1918 address and maybe pretend they
were inside your private network if you had a poor (nonexistent) firewall
that lets in RFC1918 from the external interface. This should be blocked
by the ISP, as well as the customer.

--Andrew

-- 
sparc sun4c stuff:
	http://www.lostgeneration.freeserve.co.uk/sparc
PGP key for list [at] lostgeneration.freeserve.co.uk:
	http://www.lostgeneration.freeserve.co.uk/list.freeserve.co.uk.asc

Attachment: pgp00013.pgp
Description: PGP signature

Follow-Ups:
- Re: [Sheflug] Re: Iptables
  - From: xxxxx

References:
- RE: [Sheflug] Re: Iptables
  - From: xxxxx
- RE: [Sheflug] Re: Iptables
  - From: xxxxx

Prev by Date: RE: [Sheflug] Re: Iptables
Next by Date: Re: [Sheflug] Re: Iptables
Previous by thread: RE: [Sheflug] Re: Iptables
Next by thread: Re: [Sheflug] Re: Iptables
Index(es):
- Date
- Thread