Home page logo
/

bugtraq logo Bugtraq mailing list archives

RE: ICMP pokes holes in firewalls...
From: "Daniel Chemko" <dchemko () smgtec com>
Date: Thu, 25 Sep 2003 15:05:07 -0700

NAT gateway has been 
detected as a ignore-the-source UDP forwarder

2.4 kernels: NAT doesn't work without ip_conntrack, and ip_conntrack
always keeps track of source IP addresses (hence its function). I can't
think of a situation for any Linux machine which allows inbound UDP
replies from other sources. Spoofing the original sender's address is a
different story, but that is pandemic of any stateless AND insecure
protocol.

I posted about this in March of 2000, the kernel development team
response 
was that many RPC services require this functionality and it would not
be 
fixed. The reason is that many UDP-based RPC services will respond back

to requests from an alternative interface using a different IP address 
entirely.

Just recently someone has written a conntrack handler to traverse
firewalls with RPC as you describe. No leaks to my knowledge, although I
am not too familiar with this module.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault