* Mike Dresser (mdresser@windsormachine.com) [011010 08:44]: > I have a machine, X, 192.168.10.5, that has two modems in it. One > modem, /dev/ttyS2, dials into Y, 192.168.0.3 as needed, and the other, > /dev/ttyS0, into the Internet. > Now, I have two choices. > > if [ $DEVICE == "/dev/ttyS2" ]; then > /sbin/ipchains -I input -i $IFNAME --destination-port=23 -p tcp -j > ACCEPT; > fi > > in my /etc/ip-up.d/00fw > > or i can > > /sbin/ipchains -I input -i ppp+ -s 192.168.0.0/16 --destination-port=23 > -p tcp -j ACCEPT > > My question is, lets say I have a service on 23, that's vulnerable to > scrptkiddie.c. Assume a properly crafted packet can overflow it, and > open a rootshell on port ... 911. Can a spoofed packet be sent over the > 69.69.69.69 interface, that says its source packet is 192.168.0.3, which > would be allowed through, causing this hypothetical exploit? your kernel can help you block out spoofed packets automatically with something called rp_filter, if it's built in and enabled. see the spoof_protect_rp_filter shell function in /etc/init.d/networking to see how it works. you just have to customize /etc/network/spoof-protect and it should do the rest for you. > The second ipchains option seems a bit cleaner to me, but obviously no > good if the above situation is possible. If the ipchains table is Agreed, the second is the way to go. With rp_filter providing spoof protection, specifying the interfaces along with the addresses is not strictly needed (but "belts and suspenders," after all). good times, -- Vineet http://www.anti-dmca.org Unauthorized use of this .sig may constitute violation of US law. echo Qba\'g gernq ba zr\! |tr 'a-zA-Z' 'n-za-mN-ZA-M'
Attachment:
pgpBAVMVkpzvh.pgp
Description: PGP signature