Bugtraq mailing list archives
RE: ICMP pokes holes in firewalls...
From: "Daniel Chemko" <dchemko () smgtec com>
Date: Thu, 25 Sep 2003 15:05:07 -0700
NAT gateway has been detected as a ignore-the-source UDP forwarder
2.4 kernels: NAT doesn't work without ip_conntrack, and ip_conntrack always keeps track of source IP addresses (hence its function). I can't think of a situation for any Linux machine which allows inbound UDP replies from other sources. Spoofing the original sender's address is a different story, but that is pandemic of any stateless AND insecure protocol.
I posted about this in March of 2000, the kernel development team
response
was that many RPC services require this functionality and it would not
be
fixed. The reason is that many UDP-based RPC services will respond back
to requests from an alternative interface using a different IP address entirely.
Just recently someone has written a conntrack handler to traverse firewalls with RPC as you describe. No leaks to my knowledge, although I am not too familiar with this module.
Current thread:
- ICMP pokes holes in firewalls... bugtraq (Sep 25)
- Re: ICMP pokes holes in firewalls... H D Moore (Sep 25)
- Re: ICMP pokes holes in firewalls... Lucio (Sep 26)
- Re: ICMP pokes holes in firewalls... Darren Reed (Sep 26)
- Re: ICMP pokes holes in firewalls... Daniel Hartmeier (Sep 27)
- Re: ICMP pokes holes in firewalls... Darren Reed (Sep 27)
- Re: ICMP pokes holes in firewalls... Daniel Hartmeier (Sep 27)
- <Possible follow-ups>
- RE: ICMP pokes holes in firewalls... Daniel Chemko (Sep 25)
- Re: ICMP pokes holes in firewalls... H D Moore (Sep 26)
- Re: ICMP pokes holes in firewalls... Darren Reed (Sep 26)
- Re: ICMP pokes holes in firewalls... H D Moore (Sep 25)