oss-sec mailing list archives
Re: Attack on badly configured Netfilter-based firewalls
From: Florian Weimer <fw () deneb enyo de>
Date: Mon, 27 Feb 2012 19:13:42 +0100
* Eric Leblond:
I've discovered a generic attack on firewall using Application Level Gateway (like Netfilter or Checkpoint).
This is rediscovered every two to five years. Here's mine (from 2005, but it's been proposed before): <http://www.enyo.de/fw/security/java-firewall/>
Secure use of iptables and connection tracking helpers: http://home.regit.org/netfilter-en/secure-use-of-helpers/
I think your filters aren't effective against sandboxed Java code on the client. I think there are other client-side sandboxes which allow de-facto unrestricted access (with server cooperation). Doesn't Flash require just a policy file on the server to open up arbitrary ports? You could exclude the magic Silverlight port range: | One additional restriction on using the sockets classes is that the | destination port range that a network application is allowed to | connect to must be within the range of 4502-4534. <http://msdn.microsoft.com/en-us/library/cc645032%28v=vs.95%29.aspx>
Current thread:
- Re: Attack on badly configured Netfilter-based firewalls, (continued)
- Re: Attack on badly configured Netfilter-based firewalls Kurt Seifried (Mar 02)
- Re: Attack on badly configured Netfilter-based firewalls Jussi Eronen (Mar 20)
- Re: Attack on badly configured Netfilter-based firewalls Kurt Seifried (Feb 26)
- Re: Attack on badly configured Netfilter-based firewalls Eric Leblond (Feb 26)
- Re: Attack on badly configured Netfilter-based firewalls Solar Designer (Feb 26)
- Re: Attack on badly configured Netfilter-based firewalls Eric Leblond (Feb 26)
- Re: Attack on badly configured Netfilter-based firewalls yersinia (Feb 27)
- Re: Attack on badly configured Netfilter-based firewalls Sebastian Krahmer (Feb 27)
- Re: Attack on badly configured Netfilter-based firewalls ArkanoiD (Feb 27)
- Re: Attack on badly configured Netfilter-based firewalls Sebastian Krahmer (Feb 27)
- Re: Attack on badly configured Netfilter-based firewalls Eric Leblond (Feb 26)
- Re: Attack on badly configured Netfilter-based firewalls Eric Leblond (Feb 27)
- Re: Attack on badly configured Netfilter-based firewalls Eric Leblond (Feb 28)