Re: piercing ipmasq

To: debian-security@lists.debian.org
Subject: Re: piercing ipmasq
From: Jordan Bettis <jordanb@hafd.org>
Date: Sat, 17 Feb 2001 23:48:40 -0600
Message-id: <20010217234840.A20490@gandalf.hafd.org>
In-reply-to: <20010216071156.K2358@mammoth.netlab.uky.edu>; from nathan@uky.edu on Fri, Feb 16, 2001 at 07:11:56AM -0500
References: <20010216071156.K2358@mammoth.netlab.uky.edu>

On Fri, Feb 16, 2001 at 07:11:56AM -0500, nrvale0 wrote:
> How can I formulate my ICMP packet at evil host s.t. it may get to
> target host. I can't just put target host's IP address in the DEST
> field because it will never be able to travel the Internet due to the
> non-routable DEST address. Is this a job for src routing? Is there
> some other way to handle this?

If you're on the same subnet, you could change the evil host's routing tables
to send packets to the firewall. Otherwise, it's pretty impossible unless
every router between the evil host and the destination is misconfigured to 
accidently route those packets in the right direction such that they end
up at the firewall.

Anyhow, this rule:

ipchains -A input -i $extint -s 0.0.0.0/0 -d 192.168.1.0/24 -l -j REJECT

Where $extint is my external ethernet interface and 192.168.1.0/24 is my
internal net, makes the firewall throw any packets from the outside destined
for any address on the inside away, which makes this whole thing moot.

I have yet to get any log entries from this rule.

-- 
Jordan Bettis <http://www.hafd.org/~jordanb/>
Ooohh.. "FreeBSD is faster over loopback, when compared to Linux
over the wire". Film at 11.'
                       -- Linus Torvalds

Reply to:

References:
- piercing ipmasq
  - From: nrvale0 <nathan@uky.edu>

Prev by Date: Re: secure install
Next by Date: Re: secure install
Previous by thread: piercing ipmasq
Next by thread: ipchains
Index(es):
- Date
- Thread