Date: Fri, 20 Jun 2003 12:19:14 -0700 From: Michael Collette <metrol@metrol.net> To: FreeBSD Security <FreeBSD-Security@FreeBSD.org> Subject: Re: IPFW: combining "divert natd" with "keep-state" Message-ID: <200306201219.14573.metrol@metrol.net> In-Reply-To: <hoo5fv47iqp19rvp253tau6d61f4sdq5br@4ax.com> References: <3203DF3DDE57D411AFF4009027B8C367444536@exchange-uk.isltd.insignia.com> <hoo5fv47iqp19rvp253tau6d61f4sdq5br@4ax.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Friday 20 June 2003 03:40 am, Jim Hatfield wrote: > I would have thought > it very difficult for anyone to route a packet to you with > a non-routable destination address. Surely only your ISP > could do that? I would agree, except for a Checkpoint exploit I'd read about a while back. See, their management console would only allow authorized IPs in to work on the enforcement point. By default, and impossible to turn off by a user, it would allow traffic from it's local IP without further checking. The exploit involved sending packets to the non-secure interface with a return address of the fw's own IP. Although the true source wouldn't get any packets back, it could send one-way commands to the firewall to have it bring it's guard down. I don't recall all the specifics. This was well over a year ago. BTW, is there a way to give certain IPs permissions to reloading IPFW's rules? There's some stuff I'd like to be able to admin remotely. Darn box won't let me reload rules, but it will let me reboot. I've done this quite a bit in the past to force new rules to load. I was rather hoping there was a more elegant solution to this. Later on, -- "Always listen to experts. They'll tell you what can't be done, and why. Then do it." - Robert A. Heinlein
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200306201219.14573.metrol>