From: Stephen Hemminger <shemminger@osdl.org>
To: Grant Taylor <gtaylor@riverviewtech.net>
Cc: Mail List - Linux Advanced Routing and Traffic Control
<lartc@mailman.ds9a.nl>,
Mail List - Netfilter <netfilter@lists.netfilter.org>
Subject: Re: [LARTC] Interesting article about punching holes in firewalls...
Date: Wed, 20 Dec 2006 21:23:29 +0000 [thread overview]
Message-ID: <20061220132329.61fc18da@freekitty> (raw)
In-Reply-To: <45860240.2040102@riverviewtech.net>
On Sun, 17 Dec 2006 20:51:44 -0600
Grant Taylor <gtaylor@riverviewtech.net> wrote:
> I ran across an interesting article
> (http://www.heise-security.co.uk/articles/print/82481) (1) that I think
> any and all firewall administrators should take a few moments to read.
>
> I personally have known that using "-m state --state
> ESTABLISHED,RELATED" was not the most secure thing to use for returning
> traffic. Namely this will allow you to make a valid connection to a web
> server, say to retrieve a picture. Then said web server could send
> malicious traffic back to your computer and pass through your firewall.
> This is because the traffic coming from the web server to your
> computer is now deemed as RELATED. Previously I have written this off
> as not needing to worry about this (much) YET. Yet being the operative
> word. I have long known that I would, especially on more secure
> installs (read not SOHO) need to filter inbound traffic based on source
> / destination port. I just have not thought that it was important
> enough to do presently for my clientele. Unfortunately, the day where
> we do as much filtering on related traffic as we do on non related
> traffic may be closer at hand than we all would like to admit. :(
>
>
>
> Grant. . . .
>
>
> (1) Is a /. article "How Skype Punches Holes in Firewalls"
> (http://it.slashdot.org/article.pl?sid\x06/12/15/191205)
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
This isn't new, it STUNT (Simple Traversal of UDP through NAT
and TCP). See:
http://nutss.gforge.cis.cornell.edu/stunt.php
It has been studied by Internet researchers for a while. But for most
users, NAT is an impediment to connectivity, and STUNT is a good thing.
You should be able to block it with netfilter connection tracking.
--
Stephen Hemminger <shemminger@osdl.org>
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
WARNING: multiple messages have this Message-ID (diff)
From: Stephen Hemminger <shemminger@osdl.org>
To: Grant Taylor <gtaylor@riverviewtech.net>
Cc: Mail List - Linux Advanced Routing and Traffic Control
<lartc@mailman.ds9a.nl>,
Mail List - Netfilter <netfilter@lists.netfilter.org>
Subject: Re: Interesting article about punching holes in firewalls...
Date: Wed, 20 Dec 2006 13:23:29 -0800 [thread overview]
Message-ID: <20061220132329.61fc18da@freekitty> (raw)
In-Reply-To: <45860240.2040102@riverviewtech.net>
On Sun, 17 Dec 2006 20:51:44 -0600
Grant Taylor <gtaylor@riverviewtech.net> wrote:
> I ran across an interesting article
> (http://www.heise-security.co.uk/articles/print/82481) (1) that I think
> any and all firewall administrators should take a few moments to read.
>
> I personally have known that using "-m state --state
> ESTABLISHED,RELATED" was not the most secure thing to use for returning
> traffic. Namely this will allow you to make a valid connection to a web
> server, say to retrieve a picture. Then said web server could send
> malicious traffic back to your computer and pass through your firewall.
> This is because the traffic coming from the web server to your
> computer is now deemed as RELATED. Previously I have written this off
> as not needing to worry about this (much) YET. Yet being the operative
> word. I have long known that I would, especially on more secure
> installs (read not SOHO) need to filter inbound traffic based on source
> / destination port. I just have not thought that it was important
> enough to do presently for my clientele. Unfortunately, the day where
> we do as much filtering on related traffic as we do on non related
> traffic may be closer at hand than we all would like to admit. :(
>
>
>
> Grant. . . .
>
>
> (1) Is a /. article "How Skype Punches Holes in Firewalls"
> (http://it.slashdot.org/article.pl?sid=06/12/15/191205)
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
This isn't new, it STUNT (Simple Traversal of UDP through NAT
and TCP). See:
http://nutss.gforge.cis.cornell.edu/stunt.php
It has been studied by Internet researchers for a while. But for most
users, NAT is an impediment to connectivity, and STUNT is a good thing.
You should be able to block it with netfilter connection tracking.
--
Stephen Hemminger <shemminger@osdl.org>
next prev parent reply other threads:[~2006-12-20 21:23 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-12-18 2:51 [LARTC] Interesting article about punching holes in firewalls Grant Taylor
2006-12-18 2:51 ` Grant Taylor
2006-12-18 7:26 ` Cedric Blancher
2006-12-19 9:42 ` Martijn Lievaart
2006-12-19 11:05 ` Cedric Blancher
2006-12-19 18:53 ` Martijn Lievaart
2006-12-20 3:42 ` Cedric Blancher
2006-12-19 11:07 ` Jozsef Kadlecsik
2006-12-19 11:46 ` Pascal Hambourg
2006-12-18 22:34 ` Martijn Lievaart
2006-12-18 22:50 ` Pascal Hambourg
2006-12-20 21:23 ` Stephen Hemminger [this message]
2006-12-20 21:23 ` Stephen Hemminger
2006-12-21 7:10 ` [LARTC] " Peter Surda
2006-12-21 7:57 ` Carl-Daniel Hailfinger
2006-12-21 7:57 ` Carl-Daniel Hailfinger
2006-12-25 21:43 ` [LARTC] " Torsten Luettgert
2006-12-21 15:37 ` Grant Taylor
2006-12-21 15:55 ` /dev/rob0
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20061220132329.61fc18da@freekitty \
--to=shemminger@osdl.org \
--cc=gtaylor@riverviewtech.net \
--cc=lartc@mailman.ds9a.nl \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.