From: Payam Chychi <pchychi@gmail.com>
To: Scott Mcdermott <scott@omnisys.com>
Cc: netfilter@vger.kernel.org
Subject: Re: empty filter on FORWARD chain with rp_filter means safe right?
Date: Thu, 07 Oct 2010 21:40:51 -0700 [thread overview]
Message-ID: <4CAEA0D3.1020207@gmail.com> (raw)
In-Reply-To: <20101008043129.GA2017@omnius.omnisys.com>
Thats correct Scott,
in order for any systems to abuse your setup they will need to be
directly connected to a segment that has knowledge of valid route to the
end system... meaning if a computer is 2 hops away and the router in
between has no knowledge of how to get to your private rfc1918 then pkts
get dropped.
Keep in mind that as ipv4 exhaustion gets extreme, some isps will use
rcf1918 blocks and route them either in their IGP or even EGP (aka
internet routes)...
-Payam
Network Engineer / Security Specialist
Scott Mcdermott wrote:
> Hello,
>
> I encountered a system today with two attached
> networks, one public and the other RFC1918. The box
> had ip_foward=1, FORWARD chain empty, policy ACCEPT.
> rp_filter was set on both the interfaces.
>
> Now if I were somewhere off the public interface, but
> many hops away, there is no possible way to get packets
> to the RFC1918 side of the box is there? Because I
> have no way to actually route the packets to the
> gateway with destination addresses on the far side. So
> actually this box is safe from malicious activity, even
> though there is an ACCEPT policy on FORWARD and it's
> set with routing enabled. Is this correct?
>
> Now if instead I have control of a station on the same
> segment as the gateway's public interface, or if I
> control routers in-between and can set up routes to get
> packets to the box with the internal IPs as
> destinations, then it's a different story. But in the
> common case of having ISPs in between (which will drop
> my packets with RFC1918 destinations), it's not
> possible to get packets to the gateway's internal
> network except if they NAT some of them for me.
>
> Please help me to see if my understanding is correct.
>
> Thanks.
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
>
next prev parent reply other threads:[~2010-10-08 4:40 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-10-08 4:31 empty filter on FORWARD chain with rp_filter means safe right? Scott Mcdermott
2010-10-08 4:40 ` Payam Chychi [this message]
2010-10-08 5:02 ` Jan Engelhardt
2010-10-08 16:18 ` Payam Chychi
2010-10-08 14:16 ` Pascal Hambourg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4CAEA0D3.1020207@gmail.com \
--to=pchychi@gmail.com \
--cc=netfilter@vger.kernel.org \
--cc=scott@omnisys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.