From: Martijn Lievaart <m@rtij.nl>
To: Cedric Blancher <blancher@cartel-securite.fr>
Cc: Mail List - Netfilter <netfilter@lists.netfilter.org>,
Grant Taylor <gtaylor@riverviewtech.net>
Subject: Re: Interesting article about punching holes in firewalls...
Date: Tue, 19 Dec 2006 10:42:24 +0100 [thread overview]
Message-ID: <4587B400.6080206@rtij.nl> (raw)
In-Reply-To: <1166426813.8007.10.camel@anduril.intranet.cartel-securite.net>
Cedric Blancher wrote:
>Le dimanche 17 décembre 2006 à 20:51 -0600, Grant Taylor a écrit :
>
>
>>I personally have known that using "-m state --state
>>ESTABLISHED,RELATED" was not the most secure thing to use for returning
>>traffic. Namely this will allow you to make a valid connection to a web
>>server, say to retrieve a picture. Then said web server could send
>>malicious traffic back to your computer and pass through your firewall.
>> This is because the traffic coming from the web server to your
>>computer is now deemed as RELATED.
>>
>>
>
>How ? Afaik RELATED is used for two types of packets:
>
> . ICMP errors matching previously seen IP flow
> . First packet of expectations created through a helper
>
>
One can think about spoofed ICMP errors, but there really is not a lot
we can do about that. (And for tcp they SHOULD be ignored anyhow. OTOH
an atacker can spoof a RST packet.)
I do assume in all this that the only ICMP traffic matching RELATED are
true ICMP errors (afair host/net unreachable and fragmentation needed).
If this also opens up say ICMP redirect[1] we may have a slight problem.
It is possible netfilter does this to accomodate bridging setups. Anyone
can comment on this? If this opens up the connection for any other ICMP
traffic, I think that's a bug. But I cannot imagine netfilter does this,
anyone know for sure?
M4
[1] redirect in Linux is also sanity checked, so the risk is not even
that great, but still.
next prev parent reply other threads:[~2006-12-19 9:42 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-12-18 2:51 [LARTC] Interesting article about punching holes in firewalls Grant Taylor
2006-12-18 2:51 ` Grant Taylor
2006-12-18 7:26 ` Cedric Blancher
2006-12-19 9:42 ` Martijn Lievaart [this message]
2006-12-19 11:05 ` Cedric Blancher
2006-12-19 18:53 ` Martijn Lievaart
2006-12-20 3:42 ` Cedric Blancher
2006-12-19 11:07 ` Jozsef Kadlecsik
2006-12-19 11:46 ` Pascal Hambourg
2006-12-18 22:34 ` Martijn Lievaart
2006-12-18 22:50 ` Pascal Hambourg
2006-12-20 21:23 ` [LARTC] " Stephen Hemminger
2006-12-20 21:23 ` Stephen Hemminger
2006-12-21 7:10 ` [LARTC] " Peter Surda
2006-12-21 7:57 ` Carl-Daniel Hailfinger
2006-12-21 7:57 ` Carl-Daniel Hailfinger
2006-12-25 21:43 ` [LARTC] " Torsten Luettgert
2006-12-21 15:37 ` Grant Taylor
2006-12-21 15:55 ` /dev/rob0
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4587B400.6080206@rtij.nl \
--to=m@rtij.nl \
--cc=blancher@cartel-securite.fr \
--cc=gtaylor@riverviewtech.net \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.