[10051] in bugtraq
Re: Possible security hole
daemon@ATHENA.MIT.EDU (Ryan Russell)
Wed Mar 31 01:06:43 1999
Date: Mon, 29 Mar 1999 15:25:59 -0800
Reply-To: Ryan Russell <Ryan.Russell@SYBASE.COM>
From: Ryan Russell <Ryan.Russell@SYBASE.COM>
X-To: Darren Reed <avalon@coombs.anu.edu.au>
To: BUGTRAQ@NETSPACE.ORG
>I think you missed the point here...if the interfaces are UP, then
>it's likely to be forwarding packets *through* the box...I don't
>know if the NT version of FW-1 has a control ip forwarding option
>as does the Solaris one, but it should. (THe poster didn't say if
>packets got through or if they even tested that).
I didn't miss that, I would consider that part of hardening the OS.
I don't know if one can easily turn IP forwarding back on as
part of the FW software coming up on NT. That's why I use
it on Solaris. :) (This is not intended to sparc the usual
OS religious wars.. not that Aleph1 would allow it. I
said *I* don't know if it can be done on NT. I know
the answer on Solaris. Run *your* FW on the OS *you*
can secure best.)
He was asking specifically about pinging the machine itself,
not through it. Presumably, if NAT was not employed, it
would work just fine. If he'd had to go thorugh the heroic effort
to script turning forwarding on and off on NT, he probably
would have known the answer to his question... unless it's
not his firewall.
If his site IS using NAT, he can get some extra protection by
blocking the inside nets as a destination at his access
router. The same for the FW's "real" outside address,
whether NAT is used or not.
Ryan
