RE: FW: nmap fun

["LeGrow, Matt" <Matt_LeGrow () NAI com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> -----Original Message-----
> From: Bret Watson [mailto:lists () ticm com]
> Sent: Thursday, October 26, 2000 7:07 PM
> To: LeGrow, Matt
> Cc: firewall-wizards () nfr com
> Subject: Re: FW: [fw-wiz] nmap fun

> That last comment sounds like we might have hit the nail.... we have
> noticed that it is surprisingly hard to convince Gauntlet to
> disable a  proxy that we don't want anymore.  Sure it stops
> permitting the traffic  through but it still responds and runs..  

Yeah, but that doesn't explain SNMP or Sun Help.  That sure sounds
like you are getting responses from elsewhere....

> But in short it appears that gauntlet lets all connections 
> through and then 
> terminates them after the fact - much room for packet hacking 
> here I think..
>
> Bret
I really don't think this is the case in general, but perhaps
something specific to this installation.  The Gauntlet
packet-filtering code, though limited, is pretty solid.  It doesn't
just "leak" packets, unless you have explicitly told it to do so. 
The fact that you have enabled NAT is interesting, and makes me want
to believe that you are probably configuring the gauntlet to
NAT-and-forward outbound/inbound packets through the firewall, in
which case your Gauntlet proxies are only going to pick up outbound
requests (assuming your forward rule takes precedence over the
default absorb rules on the internal interface, which I am not sure
about), and are not going to protect you from the outside coming in.

If this is the case, you should probably disable all of your filters,
as others here have suggested, and try and find an alternate
configuration.  The packet filtering rules will take precedence over
anything that the proxies will pick up.  If you are going to use the
Gauntlet as a sort of "transparent NAT device" you should probably
absorb on both sides of the FW so if a packet is bound for your
internal network, it will be absorbed and processed by a proxy, and
immediately dropped if there is not a proxy available for that
service.

Matt LeGrow
Network Associates, Inc.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Note : Opinions expressed herein are most certainly NOT that of my
employer :-) 

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.1
Comment: Crypto Provided by Network Associates <http://www.nai.com>

iQA/AwUBOfmV6fbW52zw8/NBEQJSCgCfUyNMiKPBVrlt2RKucx+XjF4/6pgAoN7n
/GS73Zm1trQQhHZi2VtOwyYx
=98Yf
-----END PGP SIGNATURE-----

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards