[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]
[linux-security] Re: IP Filters and Masq: precisions
- From: Glynn Clements <glynn sensei co uk>
- To: fire topor net
- Cc: linux-security redhat com
- Subject: [linux-security] Re: IP Filters and Masq: precisions
- Date: Thu, 13 Aug 1998 20:17:53 +0100 (BST)
fire fire wrote:
> > > > That's the kind of questions I'm asking myself and haven't
> > > > seen any answers about them. Some friend of mine says he heard of a way to
> > > > circumvent a masq firewall and access a computer inside, but that's as far
> > > > has he remembers.
> > >
> > > The probable method is some form of IP source routing.
> >
> > Source routing will enable you to get a packet to the masq firewall,
> > even if the destination address is a private address. The route which
> > you would need to specify from the masq firewall to the victim would
> > usually be the route which the packet would take anyhow.
> >
> > If you are running a masq firewall, you would normally disallow any
> > other forwarding (replies to masqueraded packets are demasqueraded and
> > forwarded automatically), so even if you can get the packet to the
> > masq firewall, you're unlikely to get it any further (even without the
> > `drop source-routed packets' option.
>
> Hey WHAT if:
> 1. my inner net is 10.0.0.0/8 and I have *source route* enabled! Then a route of
> this would be possible:
> X.X.X.X
> 10.0.0.1
> 10.0.0.Y
>
> Where X.X.X.X is the gateway the INTERNET sees and the 10.0.0.Y is the host in
> question you want to
> connect to!
> The only thing a *person* would need to figure out is *somehow* to see what are
> the numbers of IP used
> in the inner net and try some things on your gateway!
This would require the gateway to permit forwarding of inbound
packets. Given that replies to masqueraded packets are automatically
demasqueraded and forwarded, there is no reason to permit forwarding
of inbound packets.
Given that the poster described the gateway as a firewall, it seems
reasonable to assume that it doesn't allow forwarding of inbound
packets. Using:
ipfwadm -Fp reject
ipfwadm -Fma accept -S 10.0.0.0/8
would prevent this (assuming that you've also prevented IP spoofing),
regardless of whether source routing is permitted.
--
Glynn Clements <glynn sensei co uk>
[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]