[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: piercing ipmasq

On Fri, Feb 16, 2001 at 07:11:56AM -0500, nrvale0 wrote:
> How can I formulate my ICMP packet at evil host s.t. it may get to
> target host. I can't just put target host's IP address in the DEST
> field because it will never be able to travel the Internet due to the
> non-routable DEST address. Is this a job for src routing? Is there
> some other way to handle this?

If you're on the same subnet, you could change the evil host's routing tables
to send packets to the firewall. Otherwise, it's pretty impossible unless
every router between the evil host and the destination is misconfigured to 
accidently route those packets in the right direction such that they end
up at the firewall.

Anyhow, this rule:

ipchains -A input -i $extint -s -d -l -j REJECT

Where $extint is my external ethernet interface and is my
internal net, makes the firewall throw any packets from the outside destined
for any address on the inside away, which makes this whole thing moot.

I have yet to get any log entries from this rule.

Jordan Bettis <http://www.hafd.org/~jordanb/>
Ooohh.. "FreeBSD is faster over loopback, when compared to Linux
over the wire". Film at 11.'
                       -- Linus Torvalds

Reply to: