mailing list archives
Re: Attack on badly configured Netfilter-based firewalls
From: Florian Weimer <fw () deneb enyo de>
Date: Mon, 27 Feb 2012 19:13:42 +0100
* Eric Leblond:
I've discovered a generic attack on firewall using Application Level
Gateway (like Netfilter or Checkpoint).
This is rediscovered every two to five years. Here's mine
(from 2005, but it's been proposed before):
Secure use of iptables and connection tracking helpers:
I think your filters aren't effective against sandboxed Java code on
I think there are other client-side sandboxes which allow de-facto
unrestricted access (with server cooperation). Doesn't Flash require
just a policy file on the server to open up arbitrary ports?
You could exclude the magic Silverlight port range:
| One additional restriction on using the sockets classes is that the
| destination port range that a network application is allowed to
| connect to must be within the range of 4502-4534.
Re: Attack on badly configured Netfilter-based firewalls Kurt Seifried (Feb 26)
Re: Attack on badly configured Netfilter-based firewalls Florian Weimer (Feb 27)
- Re: Attack on badly configured Netfilter-based firewalls, (continued)