Firewall Wizards mailing list archives
Re: dirty packet tricks?
From: Ryan Russell <ryan () securityfocus com>
Date: Thu, 11 Jul 2002 09:44:46 -0600 (MDT)
On Thu, 11 Jul 2002, Marcus J. Ranum wrote:
techniques of the firewall transparency masters. ;) What I was thinking of doing was basically implementing the same thing as proxy transparency _without_ having to alter the routing topology of the network or place myself in the routing path as a bridge or whatever. It occurred to me the other day that this might be possible, which is why I am pursuing it at this moment. It'd be kind of cool: you could just tell your firewall "block all packets to XXX" and have this mystery box pick the traffic up, and then application-level proxy it without the end user being able to notice a thing. There are many fun applications for such a capability. ;)
<snip>
That's really the meat of my question. I was thinking that I could suck 'em up promiscuously!! :)
Wow, that's..not normal. OK. So, you want to build a hijacking router. So what do the route tables and subnet masks on the client machines look like, in theory? The clients have to believe that there is some route to the Internet, or they won't ever bother trying to get there. They either have to believe the Internet is all on the local segment (subnet mask 0.0.0.0, probably not workable..) or they have to think that it's through another router. I have to assume that if you don't want your transparent proxy thing to be the "official" router, then there must be another router, which means you must have multiple local subnets. Your firewall will have to have the ability to suck packets off all subnets you want to be able to reach the Internet, or have multiple ones, etc... So, the real router will will the one "officially" receiving the packets, while your transparent proxy watches from the side, and starts replying at the appropriate point. The real router just needs to be configured to black-hole route the Internet traffic, and not send back any sort of ICMP unreachable about it. As a shim, just have the transparent proxy substitute it's own MAC address for the MAC address of the real router in the frames on the way in, and re-inject them into its own stack. The transparent proxy just needs a small table of all the default gateway MAC addresses it will be substituting for. Of course, if you've got a real router, why not just have it route the traffic through the proxy, like every other firewall out there? Unless I'm misunderstanding the scenario... Ryan _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- dirty packet tricks? Marcus J. Ranum (Jul 10)
- Re: dirty packet tricks? Stephen D. B. Wolthusen (Jul 10)
- Re: dirty packet tricks? Barney Wolff (Jul 10)
- Re: dirty packet tricks? Marcus J. Ranum (Jul 11)
- Re: dirty packet tricks? Ryan Russell (Jul 11)
- Re: dirty packet tricks? Stephen D. B. Wolthusen (Jul 11)
- Re: dirty packet tricks? Ryan Russell (Jul 11)
- Re: dirty packet tricks? Nate Campi (Jul 11)
- Re: dirty packet tricks? Charles Swiger (Jul 11)
- Re: dirty packet tricks? Frank Knobbe (Jul 12)
- Re: dirty packet tricks? Marcus J. Ranum (Jul 11)
- Re: dirty packet tricks? John McDermott (Jul 11)
- Re: dirty packet tricks? Ryan Russell (Jul 11)
- <Possible follow-ups>
- Re: dirty packet tricks? Dana Nowell (Jul 12)