Re: [firewall-wizards] Bypassing firewall

[Magosanyi Arpad <mag () bunuel tii matav hu>]

A levelezőm azt hiszi, hogy Mailing Lists a következőeket írta:
> Hi!
>
> Back where I work, we are using a firewall the blocks everything coming in, 
> and gives internal users permission to use the www, ftp, pop and mail 
> ports.  (no icq, no aol, no nothing else).
>
> But I overheard one of my users bragging that it bypassed the firewall 
> using two linux machines doing port redirection.
>
> I did a little research on this and the most plausible way I found is that 
> he is running a linux inside the firewall which grabs everyhing on a 
> certain port (let's say the icq server port), then forward it through port 
> 80 to another linux box outside the firewall which make the actual call to 
> the icq server on the right port.  Is that possible?  Is there any other 
> alternatives he can be using?

The most easy way to use the portforwarding mechanism of ssh. And today's
proxies nearly all happily accept any protocol through, including ssh.
The other solution is to use the ssh vpn hacque. It have a modified
version using telnet. This is the most dangerous thingie, because opens
not just one port of a specific machine, but a whole network.
If you use a modern proxying firewall though, you should be reasonably
safe with the above protocols, iff configured restrictive enough,
because they all make some protocol checking. I mean safe against clueless
script kiddies. Let me see:
www: there is the CONNECT method, which connects you to an arbitrary port.
        using it is more than reasonably easy
ftp: hacking up some ftp client & server like thingie which connects the
peers using PORT (or in passive) seems to be reasonably easy, as it is
uncommon to check the data channel of ftp even for the direction of data flow.
pop: I don't know the protocol enough to suggest an easy way, but sending
bunches of packets as the mail messages back and forth would again be reasonably easy using rogue pop client-server.
mail: smtp mail is usually implemented in a store-and-forward fashion, so
it is not really good for online proxying. But think of a procmailrc of an
inside user, which just executes every line of the incoming letters which
start with say "^execute-it:". This is reverse proxying.

There are also reverse proxies I know of using http, icmp, and DNS.
Please note, that in case of packet filter firewalls (even stateful ones)
getting throug from the inside should be magnitudes easier than in the above cases.

This is why we should have _real_ protocol proxies with covert channel 
reduction, stacking support and MIMD (un)encryption features.
What we do not have now:(

-- 
GNU GPL: csak tiszta forrásból