Re: dirty packet tricks?

[Frank Knobbe <fknobbe () knobbeits com>]

On Thu, 2002-07-11 at 10:44, Ryan Russell wrote:
> On Thu, 11 Jul 2002, Marcus J. Ranum wrote:
> > techniques of the firewall transparency masters. ;) What
> > I was thinking of doing was basically implementing the same
> > thing as proxy transparency _without_ having to alter the
> > routing topology of the network or place myself in the
>
> Wow, that's..not normal.  OK.  So, you want to build a hijacking router.
> So what do the route tables and subnet masks on the client machines look
> like, in theory?  The clients have to believe that there is some route to
> the Internet, or they won't ever bother trying to get there. 

Ryan,

I think you are complicating the issue. All that Marcus' box needs to do
is sniff the packets of the internal NIC and throw it back out (maybe
using libnet since you are refering to libpcap for the input). That also
included ARP/RARP/ICMP and other IP protocols. Scenario for traffic flow
could look like this (Marcus, correct me if I'm wrong):

Inbound email arriving... ISP router ARPs for the IP address of the
target (mail server). Marcus' TransProxyBoxy receives the ARP, runs it
through it rules set, approves it, and spits it back out the internal
interface. The packet written with libnet has the routers source IP
address and the routers MAC address. Mail server responds by sending
it's ARP reply to the ISP router. Again, TransProxyBoxy sucks it in from
the internal i/f using libpcap, runs the packet through the rule set and
spits it back out on the external i/f. That packet is again unchanged,
using the mail servers MAC and IP address. Router now sends the SYN
packet for port 25 to the mail server (which it now knows by IP and
MAC). Again, TransProxyBoxy sniffs it off the wire, and pumps it back
out the internal i/f. (I'm not completing the handshake or push packets.
You should get the idea now).

His box would just pass the traffic on. In effect it is *not* acting as
a router since it does not modify MAC addresses. It acts more like a
bridge although it would pass on broadcasts as well (unless the rule set
prohibits it). There is no need to change any existing configurations.
The clients/proxies/DMZ servers/etc still list the ISP router as the
default gateway. MAC addresses are not changing either (in case someone
set those statically on some device). Same applies to the router, no
change necessary. Realize that he is thinking about a device you can
easily drop into an *existing* setup.

I'm just trying to figure out what Marcus' is up to since transparent
firewalls exist today (e.g. Lucent Brick). Maybe it's more a Hogwash
like box he's thinking about ;)

Regards,
Frank

Attachment: signature.asc
Description: This is a digitally signed message part