Re: [LARTC] Interesting article about punching holes in firewalls...

LARTC

Re: [LARTC] Interesting article about punching holes in firewalls...

To:	lartc@mailman.ds9a.nl
Subject:	Re: [LARTC] Interesting article about punching holes in firewalls...
From:	Peter Surda <surda@shurdix.com>
Date:	Thu, 21 Dec 2006 07:10:51 +0000
Delivered-to:	sp-com-lists@consult.net
Delivered-to:	lartc-list@securepoint.com
Delivered-to:	lartc@outpost.ds9a.nl
In-reply-to:	<45860240.2040102@riverviewtech.net>
List-archive:	<http://mailman.ds9a.nl/pipermail/lartc>
List-help:	<mailto:lartc-request@mailman.ds9a.nl?subject=help>
List-id:	"Mailinglist of the Linux Advanced Routing & Traffic Control project" <lartc.mailman.ds9a.nl>
List-post:	<mailto:lartc@mailman.ds9a.nl>
List-subscribe:	<http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc>, <mailto:lartc-request@mailman.ds9a.nl?subject=subscribe>
List-unsubscribe:	<http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc>, <mailto:lartc-request@mailman.ds9a.nl?subject=unsubscribe>
References:	<45860240.2040102@riverviewtech.net>
Sender:	lartc-bounces@mailman.ds9a.nl
User-agent:	Thunderbird 1.5.0.8 (Windows/20061025)

Grant Taylor schrieb:

I personally have known that using "-m state --stateESTABLISHED,RELATED" was not the most secure thing to use for returningtraffic.

Actually, what the described method accomplishes is not defeating the"firewall" part, but the "NAT" part. If one of the hosts was not behinda NAT, the traffic would flow even with ESTABLISHED,RELATED, because itbelongs to active "connection".

Namely this will allow you to make a valid connection to a webserver, say to retrieve a picture. Then said web server could sendmalicious traffic back to your computer and pass through your firewall.

Please note it does not allow you to create a new connection, just usePOTENTIAL connections that wouldn't work due to NAT.

Grant. . . .

Yours sincerely,
Peter

--
http://www.shurdix.org - Linux distribution for routers and firewalls
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

[More with this subject...]

<Prev in Thread]	Current Thread	[Next in Thread>
Interesting article about punching holes in firewalls..., Grant Taylor Re: Interesting article about punching holes in firewalls..., Martijn Lievaart Re: Interesting article about punching holes in firewalls..., Cedric Blancher Re: [LARTC] Interesting article about punching holes in firewalls..., Peter Surda <= Re: [LARTC] Interesting article about punching holes in firewalls..., Carl-Daniel Hailfinger Re: [LARTC] Interesting article about punching holes in firewalls..., Grant Taylor Re: [LARTC] Interesting article about punching holes in firewalls..., /dev/rob0 Re: [LARTC] Interesting article about punching holes in firewalls..., Stephen Hemminger

Previous by Date:	Re: [LARTC] Session Limiting per host, Grant Taylor
Next by Date:	Re: [LARTC] Interesting article about punching holes in firewalls..., Carl-Daniel Hailfinger
Previous by Thread:	Re: Interesting article about punching holes in firewalls..., Cedric Blancher
Next by Thread:	Re: [LARTC] Interesting article about punching holes in firewalls..., Carl-Daniel Hailfinger
Indexes:	[Date] [Thread] [Top] [All Lists]