Re: Attack on badly configured Netfilter-based firewalls

[Florian Weimer <fw () deneb enyo de>]

* Eric Leblond:

> I've discovered a generic attack on firewall using Application Level
> Gateway (like Netfilter or Checkpoint).

This is rediscovered every two to five years.  Here's mine
(from 2005, but it's been proposed before):

<http://www.enyo.de/fw/security/java-firewall/>

> Secure use of iptables and connection tracking helpers:
> http://home.regit.org/netfilter-en/secure-use-of-helpers/

I think your filters aren't effective against sandboxed Java code on
the client.

I think there are other client-side sandboxes which allow de-facto
unrestricted access (with server cooperation).  Doesn't Flash require
just a policy file on the server to open up arbitrary ports?

You could exclude the magic Silverlight port range:

| One additional restriction on using the sockets classes is that the
| destination port range that a network application is allowed to
| connect to must be within the range of 4502-4534.

<http://msdn.microsoft.com/en-us/library/cc645032%28v=vs.95%29.aspx>