Bugtraq mailing list archives
Re: Loopback and multi-homed routing flaw in TCP/IP stack.
From: 3APA3A <3APA3A () SECURITY NNOV RU>
Date: Wed, 7 Mar 2001 15:12:24 +0300
Hello Martin, Wednesday, March 07, 2001, 1:05:17 AM, you wrote: MM> there is no argument for making 'Weak ES Model' default. Including Catch one: changing security model will give additional undesired work for administrators. Situation where multihomed host has services binded to all interfaces is more common then situation where multihomed host has a services binded to single interface. I do not feel myself guru in this question. But I see no enough security risk in this problem to change default behavior, essentially for multihomed hosts. Nevertheless it could be nice to have configuration option, something like "disable internal routing". MM> the fact that almost no current MM> Security-HOWTO's/Firewall-HOWTO's/Networking-HOWTO's don't discuss MM> that topic ... It's a good point to update HOWTO's. They MUST discuss this topic regardless of results of this flame. Linux HOWTO's must be updated long time ago, because they are incomplete and miss a lot of key moments. Example: Firewall-HOWTO from www.linux.org Updated: February 2000. IP filtering setup (IPFWADM and IPCHAINS) section. Demo rules make false sense of security, because external hacker can access whole network by UDP using source port 53 (destination port never checked) and all unprivileged TCP ports using source port 80 (connection doesn't checked to be established). Nearly same problem in Linux IPCHAINS-HOWTO. Sorry, if I chose wrong source for getting HOWTO's - I'm not from Linux world. MM> Have a nice day -- ~/3APA3A Íĺďđč˙ňíîńňč íŕ÷íóňń˙ â âîńĺěü. (Ňâĺí)
Current thread:
- Re: Loopback and multi-homed routing flaw in TCP/IP stack., (continued)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. Neil W Rickert (Mar 05)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. Ben Laurie (Mar 06)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. David Litchfield (Mar 06)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. Robert Collins (Mar 06)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. Lincoln Yeoh (Mar 07)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. Ben Laurie (Mar 06)
- Message not available
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. Lars Mathiesen (Mar 06)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. Neil W Rickert (Mar 05)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. David Damerell (Mar 06)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. Martin Macok (Mar 06)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. 3APA3A (Mar 07)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. bert hubert (Mar 06)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. Crist Clark (Mar 06)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. Woody (Mar 06)
- Re: Loopback and multi-homed routing flaw in TCP/IP stack. Lupe Christoph (Mar 07)