Re: iptables forwarding to inside firewall

To: List - Debian Security <debian-security@lists.debian.org>
Subject: Re: iptables forwarding to inside firewall
From: Victor Calzado Mayo <vcalzado@cnio.es>
Date: Mon, 31 Mar 2003 08:55:29 +0100
Message-id: <[🔎] 200303310955.29548@asterisios>
In-reply-to: <[🔎] 20030331002415.GA11759@keitarou.bubblesworth.net>
References: <[🔎] 3E8501DC.7050307@hanaden.com> <[🔎] Pine.LNX.4.53.0303301707050.16645@blake.timetraveller.org> <[🔎] 20030331002415.GA11759@keitarou.bubblesworth.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi
On Monday 31 March 2003 02:24, Paul Hampson wrote:
> On Sun, Mar 30, 2003 at 05:23:10PM -0500, Robert Brockway wrote:
> > On Fri, 28 Mar 2003, Hanasaki JiJi wrote:
> > > Working on running a SMTP server inside the firewall that takes
> > > incoming SMTP traffic from outside the firewall.  The below rules are
> > > not working.  The firewall refuses connections.  Any input on what
> > > wrong?
> >
> > If a remote exploit is found in the MTA running on your internal host (as
> > has just occured with sendmail again), an attacker may be able to launch
> > a direct attack on this box.  Depending on your overall security
> > structure they may then be able to attack any number of hosts behind your
> > firewall.
> >
> > Some of the alteratives aren't much better.  Running an MTA on your
> > firewall is just as bad as a remote exploit here may allow an attack
> > access to the root on the firewall, allowing the firewall to be
> > circumvented again.
> >
> > If you have more than 1 static address, an MTA running in a DMZ is
> > definately better.  This way you could still have your internal MTA being
> > port forwarded by restrict access through the firewall by source address,
> > such that only your MTA in the DMZ can access the port redirect.  If you
> > can restrict access by way of network interface on the firewall[1] then
> > you're much much better off again as this protects against a spoof.
>
> I don't quite follow this... Surely if one can break into the
> port-forwarded MTA, one can break into DMZ's MTA, which would
> then allow the attacker to access the port-forwarding anyway?

I think so, if only depends how paranoid you are and how much levels of 
security you think you need. A lot of people could tell a lot o things 
against proxies, multiplexors , and talk about the virtues of a nated 
enviroment...

Going back to the original thread i think the problem should be in the forward 
rule of the internal interface, i can't see any rule like that in the rules 
and if the default policy of the forward hook is DROP the packets will be 
rejected at this point. A forward rule allowing this traffic should permit 
incoming traffic to the internal smtp server.

Best Regards
Victor





- -- 
- --
Marzo
Uno de los peores meses para andar metiendo al mundo en guerras absurdas
El resto de meses del mismo tipo son: Enero, Febrero, Abril, Mayo, Junio, 
Julio, Agosto, Septiembre, Octubre, Noviembre y Diciembre. 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE+h/RxEzqHF8R72ekRAmbyAJ0RTNIiEzTKyGbJDQ/3IaIpJeffXACeMpVU
9/l6t23YWU2Lq3wjyHWjQdg=
=uety
-----END PGP SIGNATURE-----

Reply to:

References:
- iptables forwarding to inside firewall
  - From: Hanasaki JiJi <hanasaki@hanaden.com>
- Re: iptables forwarding to inside firewall
  - From: Robert Brockway <robert@timetraveller.org>
- Re: iptables forwarding to inside firewall
  - From: Paul Hampson <Paul.Hampson@anu.edu.au>

Prev by Date: Re: Unidentified subject!
Next by Date: Re: Logcheck, Logsentry, LogRider etc.
Previous by thread: Re: iptables forwarding to inside firewall
Next by thread: Re: iptables forwarding to inside firewall
Index(es):
- Date
- Thread