Home page logo
/

oss-sec logo oss-sec mailing list archives

Re: Attack on badly configured Netfilter-based firewalls
From: Florian Weimer <fw () deneb enyo de>
Date: Mon, 27 Feb 2012 19:13:42 +0100

* Eric Leblond:

I've discovered a generic attack on firewall using Application Level
Gateway (like Netfilter or Checkpoint).

This is rediscovered every two to five years.  Here's mine
(from 2005, but it's been proposed before):

<http://www.enyo.de/fw/security/java-firewall/>

Secure use of iptables and connection tracking helpers:
http://home.regit.org/netfilter-en/secure-use-of-helpers/

I think your filters aren't effective against sandboxed Java code on
the client.

I think there are other client-side sandboxes which allow de-facto
unrestricted access (with server cooperation).  Doesn't Flash require
just a policy file on the server to open up arbitrary ports?

You could exclude the magic Silverlight port range:

| One additional restriction on using the sockets classes is that the
| destination port range that a network application is allowed to
| connect to must be within the range of 4502-4534.

<http://msdn.microsoft.com/en-us/library/cc645032%28v=vs.95%29.aspx>


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]