[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: spf and masquerading

Hello list

On Sat, 01.04.00 11:57 +0200, Michael Meskes wrote:
> > a) Statefull packet filtering would be quite senseless
> >    if I applied it to a masquerading server because that would not allow
> >    connections to hosts other than the firewall (exept I explicit programm
> >    them). Right or wrong?
> Wrong. spf does monitor the outgoing packets and install a backward rule.
A host behind a masquerading gateway wouldn't be reachable if not the 
gateway monitors outgoing packats and installs a backward rule, too, 
although here it maps a local (gateway) port to an intern address+port.

> It does not matter if the router is masquearding.
In this case the masquerading software does something similar as the
spf software. 

> > b) On a normal host, spf is only good to avoid opening all ports above
> >    1023, right? But in case I deny connections (SYN-Flag) to those ports,
> >    will it bring me any advantage?
> Sorry, I do not understand that question. Where's the connection between spf
> and the user port range. With ipchains you can only stop packets with SYN
> flag set. How about packets with SYN flag unset? And how about udp and icmp?
  What harm can a packet without SYN flag have? AFAIK it can only fiddle
  around with the ip-stack implementation - which has to be stable anyways.
  ok, no syn flag here (but it's normally only used for DNS...)
  what use does spf bring here? If you want to secure you host you deny 
  everything but echo/echo reply, dest unreachable, source quench, redirect 
  and time exceeded. Apart from the first on (->ping) you can't have any
  statefullness anyways.

> Also I wonder why spf cannot help you with port < 1024.
I thought that spf is mainly used for protecting against *incoming* 
packets. Here you can deny everything below 1024 except for the few 
services you need. Then the only way of attacking could be spoofed packets
that do not belong to any real connection. But there packages should be 
discarded by the normal IP stack, too.

> Michael


Linux - the choice of the GNU generation.          Join the Debian Project 
Christian Hammers * Oberer Heidweg 35 * D-52477 Alsdorf * Tel: 02404-25624
50 3C 52 26 3E 52 E7 20  D2 A1 F5 16 C4 C9 D4 D3  1024/925BCB55 1997/11/01

Reply to: