avalonCOOMBS.ANU.EDU.AU

• Next message: patrickPINE.NL: "Sun Security Bulletin #00194"
• Previous message: Howard M. Kash III: "Objectserver vulnerability"
• In reply to: Nigel Metheringham: "Re: Security Problems with Linux 2.2.x IP Masquerading"
• Next in thread: H D Moore: "Follow-Up: Security Problems with Linux 2.2.x IP Masquerading"
• Reply: Darren Reed: "Re: Security Problems with Linux 2.2.x IP Masquerading"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

In some mail from Nigel Metheringham, sie said:
>
> hdmSECUREAUSTIN.COM said:
> > The UDP masquerading code only checks the DESTINATION PORT to
> > determine if a packet coming from the external network is to be
> > forwarded inside.
>
> this is due to a number of hosts/services returning UDP from an IP
> other than that which the original UDP packet went to - for example it
> is frequently the case that NFS servers just use the interface ip
> address "closest" to that which the NFS op came from.

Common sense would suggest that the client should be using that address
too...

> I'll give this some thought to work out a way of narrowing this hole (I
> don't think it can be completely closed without causing other problems).

Here's some advice from the implementation of IP Filter:
I've had it closed since day 0 and had 0 reports of problems because of it.

Cheers,
Darren

• Next message: patrickPINE.NL: "Sun Security Bulletin #00194"
• Previous message: Howard M. Kash III: "Objectserver vulnerability"
• In reply to: Nigel Metheringham: "Re: Security Problems with Linux 2.2.x IP Masquerading"
• Next in thread: H D Moore: "Follow-Up: Security Problems with Linux 2.2.x IP Masquerading"
• Reply: Darren Reed: "Re: Security Problems with Linux 2.2.x IP Masquerading"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]