[14438] in bugtraq
Re: Security Problems with Linux 2.2.x IP Masquerading
daemon@ATHENA.MIT.EDU (Nigel Metheringham)
Wed Mar 29 01:08:18 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <E12a1vv-00038E-00@rioja.localnet>
Date: Tue, 28 Mar 2000 20:45:47 +0100
Reply-To: Nigel.Metheringham@VDATA.CO.UK
From: Nigel Metheringham <Nigel.Metheringham@VDATA.CO.UK>
X-To: H D Moore <hdm@SECUREAUSTIN.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: Message from H D Moore <hdm@SECUREAUSTIN.COM> of "Mon, 27 Mar
2000 23:31:41 MDT." <38E043BD.BF9BB32D@digitaldefense.net>
hdm@SECUREAUSTIN.COM said:
> The UDP masquerading code only checks the DESTINATION PORT to
> determine if a packet coming from the external network is to be
> forwarded inside.
this is due to a number of hosts/services returning UDP from an IP
other than that which the original UDP packet went to - for example it
is frequently the case that NFS servers just use the interface ip
address "closest" to that which the NFS op came from.
I'll give this some thought to work out a way of narrowing this hole (I
don't think it can be completely closed without causing other problems).
However, in general I would not advise the use of UDP masq for a
firewalling gateway - since the only thing that people are normally
putting through the UDP side is DNS, you are much better advised to put
a decent caching name server on the gateway box and block UDP through
completely.
Nigel.
--
[ - Opinions expressed are personal and may not be shared by VData - ]
[ Nigel Metheringham Nigel.Metheringham@VData.co.uk ]
[ Phone: +44 1423 850000 Fax +44 1423 858866 ]
