NetFilter
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [LARTC] Interesting article about punching holes in firewalls...

from [Stephen Hemminger] [Permanent Link][Original]
To: Grant Taylor <gtaylor@riverviewtech.net>
Subject: Re: [LARTC] Interesting article about punching holes in firewalls...
From: Stephen Hemminger <shemminger@osdl.org>
Date: Wed, 20 Dec 2006 13:23:29 -0800
Cc: Mail List - Linux Advanced Routing and Traffic Control <lartc@mailman.ds9a.nl>, Mail List - Netfilter <netfilter@lists.netfilter.org>
Delivered-to: sp-com-lists@consult.net
Delivered-to: lartc-list@securepoint.com
Delivered-to: lartc@outpost.ds9a.nl
In-reply-to: <45860240.2040102@riverviewtech.net>
List-archive: <http://mailman.ds9a.nl/pipermail/lartc>
List-help: <mailto:lartc-request@mailman.ds9a.nl?subject=help>
List-id: "Mailinglist of the Linux Advanced Routing &amp; Traffic Control project" <lartc.mailman.ds9a.nl>
List-post: <mailto:lartc@mailman.ds9a.nl>
List-subscribe: <http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc>, <mailto:lartc-request@mailman.ds9a.nl?subject=subscribe>
List-unsubscribe: <http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc>, <mailto:lartc-request@mailman.ds9a.nl?subject=unsubscribe>
Organization: OSDL
References: <45860240.2040102@riverviewtech.net>
Sender: lartc-bounces@mailman.ds9a.nl 
On Sun, 17 Dec 2006 20:51:44 -0600
Grant Taylor <gtaylor@riverviewtech.net> wrote:

> I ran across an interesting article 
> (http://www.heise-security.co.uk/articles/print/82481) (1) that I think 
> any and all firewall administrators should take a few moments to read.
> 
> I personally have known that using "-m state --state 
> ESTABLISHED,RELATED" was not the most secure thing to use for returning 
> traffic.  Namely this will allow you to make a valid connection to a web 
> server, say to retrieve a picture.  Then said web server could send 
> malicious traffic back to your computer and pass through your firewall. 
>   This is because the traffic coming from the web server to your 
> computer is now deemed as RELATED.  Previously I have written this off 
> as not needing to worry about this (much) YET.  Yet being the operative 
> word.  I have long known that I would, especially on more secure 
> installs (read not SOHO) need to filter inbound traffic based on source 
> / destination port.  I just have not thought that it was important 
> enough to do presently for my clientele.  Unfortunately, the day where 
> we do as much filtering on related traffic as we do on non related 
> traffic may be closer at hand than we all would like to admit.  :(
> 
> 
> 
> Grant. . . .
> 
> 
> (1) Is a /. article "How Skype Punches Holes in Firewalls" 
> (http://it.slashdot.org/article.pl?sid=06/12/15/191205)
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

This isn't new, it STUNT (Simple Traversal of UDP through NAT
and TCP).  See:
        http://nutss.gforge.cis.cornell.edu/stunt.php

It has been studied by Internet researchers for a while. But for most
users, NAT is an impediment to connectivity, and STUNT is a good thing.

You should be able to block it with netfilter connection tracking.

-- 
Stephen Hemminger <shemminger@osdl.org>
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: "iptables: No chain/target/match by that name", Brian McNally
Next by Date:  Port forwarding - what's wrong with my setup?, Nandan Bhat
Previous by Thread:  Re: [LARTC] Interesting article about punching holes in firewalls..., Torsten Luettgert
Next by Thread:  Altering connection tracking state with ICMP..., Grant Taylor
Indexes:  [Date] [Thread] [Top] [All Lists]