Bugtraq mailing list archives
Re: Default configuration in WatchGuard Firewall
From: cbrenton () SOVER NET (Chris Brenton)
Date: Sat, 4 Sep 1999 13:57:41 -0400
Alfonso Lazaro wrote:
I have found a misconfiguration in the default configuration of Watchguard Firewall. By default it appends a rule that it accepts pings from any to any. So if our firebox is defending our internal network ( 192.168.x.x ... ) and our WG Firewall is a proxie with an external ip in internet ( 100.100.100.100 hipotetic ip address ) the atacker can change his/her routes like so : # route add -net 192.168.0.0 netmask 255.255.255.0 gw 100.100.100.100 # ping 192.168.1.1
Not to detract from the security implications of allowing echo-request inbound unchecked, but in most cases the above would be of little use. Every router between the attacker and the WatchGuard firewall would need to be configured to point 192.168.0.0 towards the firewall, something that is not going to happen per the RFC's (unless the attacker also compromises each router along the link). The above attack pattern would only be useful in the following situation: 1) The attacker can source route inbound traffic 2) The protected network is actually legal, routed address space 3) The attacker gains access to the wire between the firewall & the Internet router If #1 works, shame on you. If #3 works, you have bigger problems than ICMP through the firewall. ;) Cheers, Chris -- ************************************** cbrenton () sover net * Multiprotocol Network Design & Troubleshooting http://www.amazon.com/exec/obidos/ASIN/0782120822/geekspeaknet * Mastering Network Security http://www.amazon.com/exec/obidos/ASIN/0782123430/geekspeaknet
Current thread:
- Default configuration in WatchGuard Firewall Alfonso Lazaro (Sep 02)
- Re: Default configuration in WatchGuard Firewall Chris Brenton (Sep 04)
- Re: Default configuration in WatchGuard Firewall Pavel Kankovsky (Sep 05)
- <Possible follow-ups>
- Re: Default configuration in WatchGuard Firewall Ryan Russell (Sep 04)
- Disabling everything Dr. Joel M. Hoffman (Sep 09)
- Re: Default configuration in WatchGuard Firewall Steve Fallin (Sep 07)
- Re: Default configuration in WatchGuard Firewall Steve Fallin (Sep 13)
- Re: Default configuration in WatchGuard Firewall Matt Bruce (Sep 14)