[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: spf and masquerading

On Sun, Apr 02, 2000 at 03:12:06PM +0200, Christian Hammers wrote:
> > Wrong. spf does monitor the outgoing packets and install a backward rule.
> A host behind a masquerading gateway wouldn't be reachable if not the 
> gateway monitors outgoing packats and installs a backward rule, too, 
> although here it maps a local (gateway) port to an intern address+port.

Yes, of course. This is not the kinf of rule I was talking about. spf takes
care of ipchain rules.

> In this case the masquerading software does something similar as the
> spf software. 

In some sense yes. But the function is quite different. Let's use an
example. My DNS server shall have the IP number with my firewall
masquerading this.

So the following spf rules allows it to work:

-A input -j ACCEPT -i eth1 -s 1024:65535 -d domain -p udp
-A forward -j MASQ -s 1024:65535 -d domain -p udp

Let's say I block everything else. So my server is able to send requests but
no answer will be able to come back in. You need another input rule that
allows input from the server accessed. And that rule is created by spf. 

The ip masquerading code is not to do that. Once the packets were send out
there is an open entry for udp packets. 

>   What harm can a packet without SYN flag have? AFAIK it can only fiddle

I think there was an exploit some time ago that send send lots of ACK
packets, wasn't it?

>   around with the ip-stack implementation - which has to be stable anyways.

That's the reasoning the upstream maintainer of spf uses to explain why he
does allow all established tcp packets in. I do not think this is a good way
of running a secure system. That's why I configure spf for Debian slightöy

> udp:
>   ok, no syn flag here (but it's normally only used for DNS...)

Yes, but check bugtraq for a udp masquerading design flaw.

> icmp:
>   what use does spf bring here? If you want to secure you host you deny 
>   everything but echo/echo reply, dest unreachable, source quench, redirect 
>   and time exceeded. Apart from the first on (->ping) you can't have any
>   statefullness anyways.

Right. It's only echo replies that the statefulness is used for. But I for
one like to have my system as tight as possible. Who knows maybe there's
already an exploit using echo reply. :-)

> I thought that spf is mainly used for protecting against *incoming* 
> packets. Here you can deny everything below 1024 except for the few 
> services you need. Then the only way of attacking could be spoofed packets
> that do not belong to any real connection. But there packages should be 
> discarded by the normal IP stack, too.

You can of course use spf on ports < 1024 for incoming connections. But then
it won't bring you anything over ipchains since you have to leave the port
open anyways. For instance if you have port SMTP open to the world what can
spf do? It cannot block anything, except the spoofed packets you talked
about. And if you really trust your tcp stack that'll do the same.


Michael Meskes                         | Go SF 49ers!
Th.-Heuss-Str. 61, D-41812 Erkelenz    | Go Rhein Fire!
Tel.: (+49) 2431/72651                 | Use Debian GNU/Linux!
Email: Michael@Fam-Meskes.De           | Use PostgreSQL!

Reply to: