Penetration Testing mailing list archives
Re: [PEN-TEST] advertising private IP numbers?
From: "Carter, Adam" <adam () JAFTAN COM AU>
Date: Sat, 23 Dec 2000 12:35:22 +1100
That or that IP forwarding is turned on on the Proxy/Firewall which is not a good idea.
While that makes sense for proxies, why would it be the case for packet filters/stateful inspectors? Since the routing code is built into the OS, why not use it? Checkpoint on solaris uses the kernel ip forwarding to route. It switches it on when the firewall is up and switches it off when the firewall is stopped <grin> (you can check with ndd). Remember that the packet filter code sits between the NIC driver and the OS's ip stack, so its not possible to for the kernel to directly route the packet and bypass the firewall's packet inspection. Of course, all the checkpoint doco's say to turn off ip forwarding, but that just so the box doesnt route when the firewall is off.
Well, by definition, a Proxy/Firewall has to have ip forwarding turned on, or else it would not achieve the desired effect of passing any traffic.
Proxies "route" at the application layer and so they require that the kernel does not route, or they will never see the packets.
The other question I have, is why is this person using the reserved address space on a non-stub network? I assume the hops listed as '22' and '23' are "real IPs" and are x'd out to protect the identity of the network. If this is the case, I wonder why they'd route real IP's through a NAT'd network....
What makes you think its NATed? Adam
Current thread:
- Re: [PEN-TEST] advertising private IP numbers?, (continued)
- Re: [PEN-TEST] advertising private IP numbers? Bennett Todd (Dec 22)
- Re: [PEN-TEST] advertising private IP numbers? St. Clair, James (Dec 22)
- Re: [PEN-TEST] advertising private IP numbers? van der Kooij, Hugo (Dec 22)
- Re: [PEN-TEST] advertising private IP numbers? Barber, Chris (Dec 22)
- Re: [PEN-TEST] advertising private IP numbers? Dan Schleifer (Dec 22)
- Re: [PEN-TEST] advertising private IP numbers? Jason Paulson (Dec 22)
- Re: [PEN-TEST] advertising private IP numbers? Carric Dooley (Dec 23)
- Re: [PEN-TEST] advertising private IP numbers? Deus, Attonbitus (Dec 22)
- Re: [PEN-TEST] advertising private IP numbers? van der Kooij, Hugo (Dec 23)
- Re: [PEN-TEST] advertising private IP numbers? Dan Schleifer (Dec 22)
- Re: [PEN-TEST] advertising private IP numbers? securitygeek (Dec 22)
- Re: [PEN-TEST] advertising private IP numbers? Carter, Adam (Dec 23)
- Re: [PEN-TEST] advertising private IP numbers? Chris St. Clair (Dec 27)