From owner-freebsd-security Mon Mar 18 10:59:40 2002 Delivered-To: freebsd-security@freebsd.org Received: from pike.epylon.com (mail03.epylon.com [63.93.9.99]) by hub.freebsd.org (Postfix) with ESMTP id 7574637B404 for ; Mon, 18 Mar 2002 10:59:24 -0800 (PST) Received: from [192.168.4.56] (sf-gw.epylon.com [63.93.9.98]) by pike.epylon.com (Postfix) with ESMTP id 38C4459211; Mon, 18 Mar 2002 10:59:24 -0800 (PST) Date: Mon, 18 Mar 2002 11:07:58 -0800 From: Jason DiCioccio Reply-To: "Jason DiCioccio (reply)" To: Fergus Cameron , freebsd-security@freebsd.org Subject: Re: Is PortSentry really safe to use? Message-ID: <2929174843.1016449678@[192.168.4.56]> In-Reply-To: <20020318183415.E1000@dedog.argus-systems.co.uk> References: <20020318183415.E1000@dedog.argus-systems.co.uk> X-Mailer: Mulberry/2.1.2 (Win32) MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="==========2929185348==========" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --==========2929185348========== Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: quoted-printable Content-Disposition: inline It would probably be safe to block based on established TCP connections=20 however I would be wary of UDP, ICMP and non-established TCP sessions.=20 Sound good? Also generally I wouldn't think the gateway would help for inbound spoofed packets, unless they were spoofing something that was obviously fake like 127.0.0.1, 192.168.*, etc. Cheers, -JD- --On Monday, March 18, 2002 6:34 PM +0000 Fergus Cameron=20 wrote: > surely it wouldn't be possible to spoof an attack 'through' a gateway ? > would the gateway not reject the traffic as invalid ? otherwise it > would pass traffic apparently from itself but recieved on the wrong > interface. > > ? ? > > i realise the principle of the problem still applies - but would this > specific application work ? > > On 15.03-22:07, Jesper Wallin wrote: >> Hey.. >> >> Lets say I want to hide all my services by changing the standard ports = on >> all server and run PortSentry.. I used to run my system like that before >> but yesterday a friend of mine was talking about a little security >> issue.. >> >> Lets say we run a system like that on www.blah.com, what happens if I >> run a traceroute on it and fake a portscan from his default gateway? >> Sure he can add the default gateway to the portsentry.ignore file but >> then I just take the box before that and the one before that and the... >> and so on.. >> >> Isn't PortSentry more like a problem then a help then? I'm not sure if >> all fo this work but I know it's possible to fake portscans with >> softwares like "rain" and other "custom packets" programs. >> >> >> Jesper Wallin (aka Z3l3zT) >> "it's better to be a lame hacker than a hacked lamer" >> >> >> >> >> >> To Unsubscribe: send mail to majordomo@FreeBSD.org >> with "unsubscribe freebsd-security" in the body of the message > > -- > Fergus Cameron Tel: +447779236010 > Fax: +447980681864 > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message --==========2929185348========== Content-Type: application/pgp-signature Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (MingW32) Comment: For info see http://www.gnupg.org iD8DBQE8ljsO01CVlgQ2fAgRAq1cAKCzYx8q0K/J7/f7y2QnH67Qbh8mWwCghSWf hbN8NFaZfhSFLWzMeekF3yM= =XoOy -----END PGP SIGNATURE----- --==========2929185348==========-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message