From owner-freebsd-questions  Sun Jul 29 11:24: 1 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from pump3.york.ac.uk (pump3.york.ac.uk [144.32.128.131])
	by hub.freebsd.org (Postfix) with ESMTP id CA00937B401
	for <freebsd-questions@freebsd.org>; Sun, 29 Jul 2001 11:23:58 -0700 (PDT)
	(envelope-from gavin.atkinson@ury.york.ac.uk)
Received: from ury.york.ac.uk (ury.york.ac.uk [144.32.108.81])
	by pump3.york.ac.uk (8.10.2/8.10.2) with ESMTP id f6TINEj12236
	for <freebsd-questions@freebsd.org>; Sun, 29 Jul 2001 19:23:56 +0100 (BST)
Received: from localhost (gavin@localhost)
	by ury.york.ac.uk (8.11.3/8.11.3) with ESMTP id f6TINDl62509
	for <freebsd-questions@freebsd.org>; Sun, 29 Jul 2001 19:23:13 +0100 (BST)
	(envelope-from gavin.atkinson@ury.york.ac.uk)
X-Authentication-Warning: ury.york.ac.uk: gavin owned process doing -bs
Date: Sun, 29 Jul 2001 19:23:13 +0100 (BST)
From: Gavin Atkinson <gavin@ury.york.ac.uk>
To: <freebsd-questions@freebsd.org>
Subject: Natd passing data out on low ports
Message-ID: <Pine.BSF.4.33.0107291917340.62503-100000@ury.york.ac.uk>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG


(posting to -questions after no satisfactory reply from UK UG)

Hi,

I currently have a server with two network cards, one is attached to a
private internal network (10.x.x.x) which can see the internet via natd
through the second network card. Natd is started through rc.conf:

(irrelevant lines snipped)
natd_enable="YES"
natd_interface="rl1"

My problem is this:

Users on hosts on the _internal_ network can use rlogin etc. to a host on
the external network, and this connection actually comes from a
priviledged port on the box running natd, so it looks like the rlogin came
from the gateway box.  This means that a user with root on an internal box
(or indeed any user on a windows box attached to the internal network) can
spoof an rlogin, rsh etc as if it came from a user on the gateway machine,
and all without leaving a log.

How do I prevent natd from binding outgoing conmnections to low-numbered
ports? At the moment this seems like a pretty big security hole...

Please note I am not running the rutil servers on the box running natd -
it's more to protect other hosts on the network and the privacy of other
users' accounts.

Thanks,

Gavin



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message