Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Security Problems with Linux 2.2.x IP Masquerading

From: avalon () COOMBS ANU EDU AU (Darren Reed)
Date: Wed, 29 Mar 2000 15:59:09 +1000

In some mail from Nigel Metheringham, sie said:


hdm () SECUREAUSTIN COM said:

The UDP masquerading code only checks the DESTINATION PORT to
determine if a packet coming from the external network is to be
forwarded inside.


this is due to a number of hosts/services returning UDP from an IP
other than that which the original UDP packet went to - for example it
is frequently the case that NFS servers just use the interface ip
address "closest" to that which the NFS op came from.


Common sense would suggest that the client should be using that address
too...


I'll give this some thought to work out a way of narrowing this hole (I
don't think it can be completely closed without causing other problems).


Here's some advice from the implementation of IP Filter:
I've had it closed since day 0 and had 0 reports of problems because of it.

Cheers,
Darren
Previous By Date Next
Previous By Thread Next

Current thread: