coming in through the outgoing hole?

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Keith Whyte <keith@media-solutions.ie>
To: netfilter@lists.netfilter.org
Subject: coming in through the outgoing hole?
Date: Mon, 21 Nov 2005 11:58:50 -0600	[thread overview]
Message-ID: <43820ADA.8000206@media-solutions.ie> (raw)

here's a scenario
i have opened outgoing webserver requests and their resposes thus
(output from iptables -v -L)

INPUT
0     0 ACCEPT     tcp  --  eth0   any     anywhere
anywhere           tcp spt:http dpts:1024:65535
OUTPUT
0    0 ACCEPT     tcp  --  any    eth0    anywhere
anywhere           tcp spts:1024:65535 dpt:http

now, it occurs to me that i have opened access to ports 1024 to 65535,
as long as the source port is port 80, correct?
where as I only want it open for connections originating on the local
machine.

I presume the answer here is conntrack, could someone help me with the
command for the INPUT chain?
should it be --state RELATED or ESTABLISHED or both or something like !
NEW (if that can be done)?

as a hypothetical example of the problem:
let's say i run an admin type webserver for some app, listening on a
port above 1024, for example. if someone hacked a web client to use port
80 as the source port for it's connections,  (dunno, would you have to
hack the kernel too, or just be root?) , then they could bypass the
firewall part of the security, right? or with ssh, surely it would be
easy enough to hack an ssh client to use port 80 as it's source port.
ok, so you probably shouldn't run an ssh listener on a port above 1024,
but nevertheless, it's a good hole to close.

thanks!

Keith.

next             reply	other threads:[~2005-11-21 17:58 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2005-11-21 17:58 Keith Whyte [this message]
  -- strict thread matches above, loose matches on Subject: below --
2005-11-21 18:58 coming in through the outgoing hole? Derick Anderson
2005-11-21 19:41 ` Keith Whyte
2005-11-21 20:16   ` /dev/rob0
2005-11-21 20:10 Derick Anderson
     [not found] <200511220507.jAM57qZu019084@mx.media-solutions.ie>
2005-11-22 19:51 ` Keith Whyte

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=43820ADA.8000206@media-solutions.ie \
    --to=keith@media-solutions.ie \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.