In article <9501240405 .
AA02694 @
coney .
island .
com>,
Pond Scum <hue @
island .
COM> wrote:
>Would it be possible for netacl to do a getsockname() and see which
>interface the packet arrived on, and if getpeername() said it was
>from one of the internal nets, but getsockname() said it came in
Doesn't help at all. The packets are forged to be from the internal
network, and this is what getsockname()/getpeername() will say. It you
use netacl, to protect telnetd to the firewall. (So the the admin can
login from the internal network), then the attacker can get to
telnetd.
If you have tn-gw, and do not require passwords (-noauth) for the
internet network (a reasonable thing to do), then they can use the
tn-gw to connect to the internal hosts. (Certainly, you allow tn-gw
to talk from the internal net to the internal net, right?)
What is necessary is to make sure that all incoming packets arrive
on the same interface to which the firewall would send responses. I
have implemented this type of code. I'm checking every packet though,
and this strikes me as wastefull: seems to me that TCP SYN packets are
the only thing one needs to verify. I'm not certain that the attack
meaningfull with UDP packets, but why take chances.
--
:!mcr!: | <A HREF="http://www.milkyway.com/";>Milkyway Networks Corporation</A>
Michael Richardson | Makers of the Black Hole firewall
NCF: aa714 || xx714 | +1 613 566-4574 ... mcr @
milkyway .
com
Home: <A HREF="http://www.sandelman.ocunix.on.ca/People/Michael_Richardson/Bio.html";>mcr @
sandelman .
ocunix .
on .
ca</A>. PGP key available.
Follow-Ups:
References:
|
|
