From owner-freebsd-security@FreeBSD.ORG  Fri Jun 20 12:19:22 2003
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id DD2F337B401
	for <FreeBSD-Security@FreeBSD.org>;
	Fri, 20 Jun 2003 12:19:22 -0700 (PDT)
Received: from pimout4-ext.prodigy.net (pimout4-ext.prodigy.net
	[207.115.63.103])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 2406743F85
	for <FreeBSD-Security@FreeBSD.org>;
	Fri, 20 Jun 2003 12:19:22 -0700 (PDT)
	(envelope-from metrol@metrol.net)
Received: from metbsd.priv.metrol.net
	(adsl-67-121-60-13.dsl.anhm01.pacbell.net [67.121.60.13])
	h5KJJKl8204758
	for <FreeBSD-Security@FreeBSD.org>; Fri, 20 Jun 2003 15:19:20 -0400
From: Michael Collette <metrol@metrol.net>
To: FreeBSD Security <FreeBSD-Security@FreeBSD.org>
Date: Fri, 20 Jun 2003 12:19:14 -0700
User-Agent: KMail/1.5.2
References:
	<3203DF3DDE57D411AFF4009027B8C367444536@exchange-uk.isltd.insignia.com>
	<hoo5fv47iqp19rvp253tau6d61f4sdq5br@4ax.com>
In-Reply-To: <hoo5fv47iqp19rvp253tau6d61f4sdq5br@4ax.com>
MIME-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200306201219.14573.metrol@metrol.net>
Subject: Re: IPFW: combining "divert natd" with "keep-state"
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Jun 2003 19:19:23 -0000

On Friday 20 June 2003 03:40 am, Jim Hatfield wrote:
> I would have thought
> it very difficult for anyone to route a packet to you with
> a non-routable destination address. Surely only your ISP
> could do that?

I would agree, except for a Checkpoint exploit I'd read about a while back.  
See, their management console would only allow authorized IPs in to work on 
the enforcement point.  By default, and impossible to turn off by a user, it 
would allow traffic from it's local IP without further checking.

The exploit involved sending packets to the non-secure interface with a return 
address of the fw's own IP.  Although the true source wouldn't get any 
packets back, it could send one-way commands to the firewall to have it bring 
it's guard down.

I don't recall all the specifics.  This was well over a year ago.

BTW, is there a way to give certain IPs permissions to reloading IPFW's rules?  
There's some stuff I'd like to be able to admin remotely.  Darn box won't let 
me reload rules, but it will let me reboot.  I've done this quite a bit in 
the past to force new rules to load.  I was rather hoping there was a more 
elegant solution to this.

Later on,
-- 
"Always listen to experts.  They'll tell you what can't be done, and why.  
Then do it."
- Robert A. Heinlein