Great Circle Associates Firewalls
(July 1996)
 

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: IP Masquerading and vulnerabilities
From: lists @ lina . inka . de (Bernd Eckenfels)
Date: Sat, 27 Jul 1996 18:43:14 +0200 (MET DST)
To: jsanchez @ esegi . es (Julio Sanchez)
Cc: gmv-gw-lists-firewalls @ gmv . es
In-reply-to: <x0ybk593k8 . fsf @ melmac . gmv . es> from "Julio Sanchez" at Jul 27, 96 04:24:55 pm

Hi,

> What he has repeatedly said is that TCP has no record boundaries, so
> even if you always defragment (that obviously makes filtering easier),
> you still may get the application data in pieces, i.e. in different
> packets, for a number of reasons, some of them accidental, some of
> them intentional.  You still might get the PORT command in several
> pieces.
Yes. But the KErnel only needs to store little information (at least for
FTP): If you receive:

PORT 1/packet border/23,13,45,45,4,67

You only need to store about 30 bytes for each NATed FTP Connection between
two packages. That is no big deal. On the other hand:

> So unless the packet level thing (whether it is for filtering or NAT)
> is also messing with the TCP engine, you are better off with a proxy.
> It will always work.

A combo method is a good solution. Handle the Control connection with a
user-mode Transparent-Proxy and let it set up a masquerade connection for
Data. Then you get the flexibility of Usermode with the Performance of
Kernel Masquerading.

Greetings
Bernd
-- 
  (OO)      -- Bernd_Eckenfels @
 Wittumstrasse13 .
 76646Bruchsal .
 de --
 ( .. )  ecki @
 lina .
 {inka .
 de,ka.sub.org}  http://home.pages.de/~eckes/
  o--o     *plush*  2048/A2C51749  eckes @
 irc  +4972573817  *plush*
(O____O)       If privacy is outlawed only Outlaws have privacy


Follow-Ups:
References:
Indexed By Date Previous: Re: Catapult
From: lists @ lina . inka . de (Bernd Eckenfels)
Next: Re: Remote Access Software
From: "Todd Glassey, Consultant" <tglassey @ earthlink . net>
Indexed By Thread Previous: Re: IP Masquerading and vulnerabilities
From: Julio Sanchez <jsanchez @ esegi . es>
Next: Re: IP Masquerading and vulnerabilities
From: Darren Reed <avalon @ coombs . anu . edu . au>

Google
 
Search Internet Search www.greatcircle.com