RE: Bypassing firewall

["Eckhardt, H.J.R. - DTOMLD" <HJR.Eckhardt () dto mindef nl>]

Not tru!

Youre example is not using a proxy based firewall, you are using the
transparent DNS port. If you force the DNS through a proxy proces as it
should on a proxy based firewall (hidden DNS o.i.d) (No transparent
connection at all) then this trick will not work.

Gr. H.


-----Oorspronkelijk bericht-----
Van: Robert Purdy [mailto:liteyear () ihug co nz]
Verzonden: zondag 30 januari 2000 12:31
Aan: firewall-wizards () nfr net
Onderwerp: RE: Bypassing firewall


Hi,
Try this, its from the Linux HOWTO's, under firewalls
15. Defeating a Proxy Firewall
Just to spoil your day, and keep you on your toes about security, I'll
describe how easy it is to defeat a proxy firewall.

Lets say you have done everything in this document and have a very secure
server and network. You have a DMZ and no one can get into your network and
you are logging every connection made to the outside world. You make all
your users go through a proxy and the only service you allow to go direct to
the outside is DNS (port 53).

One port, that is all it takes to make a firewall worthless. Here is how it
is done.

Start by setting up a Linux box somewhere outside your LAN. A good choice
would be a box at home connected to the Internet through a cable modem.

Ask your ISP for three IP numbers. Most cable companies will provide up to
three.

On this box you need to install the client part of a Virtual Private Network
(vpn). See: http://sunsite.auc.dk/vpnd/

Now setup the server side on the VPN with another Linux box. Connect this
server to it's client through port 53. Turn on routing and forwarding and
put an unused IP number you got from your ISP on it's LAN port.

Finally, on a workstation on the private LAN, change the default gateway to
point to the vpn servers and add the third IP number to it's LAN port.

Now, from this workstation, you can go anywhere. The only thing the firewall
admin will see is a really long DNS lookup.

Now, take over the world!

Cheers,
Rob Purdy
WAN Consultant
Datacom Systems Ltd.
Auckland, New Zealand

-----Original Message-----
From: owner-firewall-wizards () lists nfr net
[mailto:owner-firewall-wizards () lists nfr net]On Behalf Of Kaptain
Sent: Thursday, 27 January 2000 13:45
To: Riley, Steven
Cc: 'firewall-wizards () nfr net'
Subject: RE: Bypassing firewall


It's article 52-16.

-K


On Tue, 25 Jan 2000, Riley, Steven wrote:

> Phrack 56-16 had a good article on what you suggested. I think the article
> was called 'Piercing a Firewall'.
>
>
> -----Original Message-----
> From: Mailing Lists [mailto:mlist () almerco ca]
> Sent: 23 January 2000 16:06
> To: firewall-wizards () nfr net
> Subject: Bypassing firewall
>
>
> Hi!
>
> Back where I work, we are using a firewall the blocks everything coming
in,
> and gives internal users permission to use the www, ftp, pop and mail
> ports.  (no icq, no aol, no nothing else).
>
> But I overheard one of my users bragging that it bypassed the firewall
> using two linux machines doing port redirection.
>
> I did a little research on this and the most plausible way I found is that
> he is running a linux inside the firewall which grabs everyhing on a
> certain port (let's say the icq server port), then forward it through port
> 80 to another linux box outside the firewall which make the actual call to
> the icq server on the right port.  Is that possible?  Is there any other
> alternatives he can be using?
>
> btw, I don't know what the firewall used is, I'm the sysadm for my
> division, but we are using the corporate firewall.
>
> Thanks!
>
>
> ===================================================
> This communication contains information which is confidential and
> may also be privileged.  It is for the exclusive use of the
> intended recipient(s).  If you are not the intended recipient(s),
> please note that any distribution, copying or use of this
> communication or the information in it is strictly prohibited.
> If you have received this communication in error, please notify
> the sender immediately and then destroy any copies of it.
> --
> MCI WorldCom Year 2000 information http://www.wcom.co.uk/2000