[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

[linux-security] Re: IP Filters and Masq: precisions

From: Glynn Clements <glynn sensei co uk>
To: Mailing Lists <mlist almerco ca>
Cc: linux-security redhat com
Subject: [linux-security] Re: IP Filters and Masq: precisions
Date: Wed, 12 Aug 1998 18:24:05 +0100 (BST)

Mailing Lists wrote:

> I know about how masq works, I already have built one network using it.  I
> have 15 computers inside my ip+masq firewall, with the fake ip c class
> 192.168.x.x, and 5 computers in a normal class C on the outside.  It works
> great!  My only concern really is that I want to know if there is any way
> for a hacker to directly connect to one of my protected computers from the
> outside.

No, but one of the protected computers could connect to the hacker.

> Can a java or activeX applet do the thrick?

A Java applet shouldn't cause any problems, unless there's a bug in
the JVM. A Java applet should only be able to connect to the host
which served it, so even though it's inside the firewall, it can't
(or shouldn't be able to) connect to other hosts inside the firewall,
including the one that it's running on.

OTOH, an ActiveX program could connect to protected hosts on behalf of
the hacker. ActiveX programs are supposed to be signed, but other than
that you have no protection.

> Or if a computer from the inside initiate a connexion to
> some.evil.org, can this host piggy backs the link and access the
> computer from which the connection was initially made?

Not at the TCP/IP layer. The only packets which will be sent back to
protected system by the masq firewall are those which are replies to
the outbound packet (i.e. those having the appropriate destination
port). These will be sent to the (presumably ephemeral) port from
which the TCP connection was made.

However, if your client program has a buffer overrun bug, and you
connect to a server which sends data constructed so as to exploit this 
bug, then it can result in the client executing arbitrary code
provided by the server.

This problem exists however the connection is made, whether directly,
via a masq firewall, or via a proxy. Worse still, the same sort of
attack can be made via email.

The only solution is to ensure that all Internet clients are free from
buffer overruns. If a client uses other programs or libraries to
handle the data, the same problem applies to these.

> That's the kind of questions I'm asking myself and haven't
> seen any answers about them.  Some friend of mine says he heard of a way to
> circumvent a masq firewall and access a computer inside, but that's as far
> has he remembers.

Any attack would require inside assistance of some description.

-- 
Glynn Clements <glynn sensei co uk>

Follow-Ups:
- IP Filters and Masq: last questions
  - From: Mailing Lists

References:
- IP Filters and Masq for Linux
  - From: Mailing Lists
- [linux-security] IP Filters and Masq: precisions
  - From: Mailing Lists

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]