[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: question about ipchains on dual interface machine

* Mike Dresser (mdresser@windsormachine.com) [011010 08:44]:
> I have a machine, X,, that has two modems in it.  One
> modem, /dev/ttyS2, dials into Y, as needed, and the other,
> /dev/ttyS0, into the Internet.

> Now, I have two choices.
> if [ $DEVICE == "/dev/ttyS2" ]; then
>     /sbin/ipchains -I input -i $IFNAME --destination-port=23 -p tcp -j
> fi
> in my /etc/ip-up.d/00fw
> or i can
> /sbin/ipchains -I input -i ppp+ -s --destination-port=23
> -p tcp -j ACCEPT
> My question is, lets say I have a service on 23, that's vulnerable to
> scrptkiddie.c.  Assume a properly crafted packet can overflow it, and
> open a rootshell on port ... 911.  Can a spoofed packet be sent over the
> interface, that says its source packet is, which
> would be allowed through, causing this hypothetical exploit?

your kernel can help you block out spoofed packets automatically with
something called rp_filter, if it's built in and enabled. see the
spoof_protect_rp_filter shell function in /etc/init.d/networking to see
how it works. you just have to customize /etc/network/spoof-protect and
it should do the rest for you.

> The second ipchains option seems a bit cleaner to me, but obviously no
> good if the above situation is possible.  If  the ipchains table is

Agreed, the second is the way to go. With rp_filter providing spoof
protection, specifying the interfaces along with the addresses is not
strictly needed (but "belts and suspenders," after all).

good times,

Vineet                                   http://www.anti-dmca.org
Unauthorized use of this .sig may constitute violation of US law.
echo Qba\'g gernq ba zr\!             |tr 'a-zA-Z' 'n-za-mN-ZA-M'

Attachment: pgpBAVMVkpzvh.pgp
Description: PGP signature

Reply to: