Re: dirty packet tricks?

[Ryan Russell <ryan () securityfocus com>]

On Thu, 11 Jul 2002, Marcus J. Ranum wrote:
> techniques of the firewall transparency masters. ;) What
> I was thinking of doing was basically implementing the same
> thing as proxy transparency _without_ having to alter the
> routing topology of the network or place myself in the
> routing path as a bridge or whatever. It occurred to me
> the other day that this might be possible, which is why
> I am pursuing it at this moment. It'd be kind of cool: you
> could just tell your firewall "block all packets to XXX"
> and have this mystery box pick the traffic up, and then
> application-level proxy it without the end user being
> able to notice a thing. There are many fun applications
> for such a capability. ;)
<snip>
> That's really the meat of my question. I was thinking that I
> could suck 'em up promiscuously!! :)

Wow, that's..not normal.  OK.  So, you want to build a hijacking router.
So what do the route tables and subnet masks on the client machines look
like, in theory?  The clients have to believe that there is some route to
the Internet, or they won't ever bother trying to get there.  They either
have to believe the Internet is all on the local segment (subnet mask
0.0.0.0, probably not workable..) or they have to think that it's through
another router.  I have to assume that if you don't want your transparent
proxy thing to be the "official" router, then there must be another
router, which means you must have multiple local subnets.  Your firewall
will have to have the ability to suck packets off all subnets you want to
be able to reach the Internet, or have multiple ones, etc...

So, the real router will will the one "officially" receiving the packets,
while your transparent proxy watches from the side, and starts replying at
the appropriate point.  The real router just needs to be configured to
black-hole route the Internet traffic, and not send back any sort of ICMP
unreachable about it.  As a shim, just have the transparent proxy
substitute it's own MAC address for the MAC address of the real router in
the frames on the way in, and re-inject them into its own stack.  The
transparent proxy just needs a small table of all the default gateway MAC
addresses it will be substituting for.

Of course, if you've got a real router, why not just have it route the
traffic through the proxy, like every other firewall out there?

Unless I'm misunderstanding the scenario...

                                        Ryan

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards