IP forwarding in firewalls and masquerade boxes

IP forwarding in firewalls and masquerade boxes

Post by newsv » Tue, 11 May 1999 04:00:00



The Firewall HOWTO and some other sources that I've looked at emphasize that
you should turn IP forwarding off in firewalls and (I believe) IP
masquerading boxes as well.  In principle I understand that you should turn
off all the services possible to secure a box.  My question is, what
vulnerabilities does IP forwarding expose?

For instance suppose you have an IP masquerading box with two nics -- one
talking to a 192.168.x.y private network, and one with a public IP address.
I can see how maybe a cracker could come send some packets to the public
side of the masq box that appeared to come from an 192.168.x.y address...
but I can't see how that would do a cracker any good.  And if I am guessing
right and this is how a cracker would exploit IP forwarding, then is there a
way to stipulate that packets from a 192.168.x.y address should be rejected
by the publicly accessible NIC?

Thanks in advance
Don

 
 
 

IP forwarding in firewalls and masquerade boxes

Post by Raymonds Doetje » Wed, 12 May 1999 04:00:00


The thread lies here:
When a hacker gets in to your so called "Bastion" host this can happen because
you allowed telnet logins from anywhere than the hacker can start software like
IP sniffers that check the ip traffic on you internal network (that is usally
masqed). ANd so grep passwords that are send un encrypted or data.

Or even worse, if you have mounting tools installed on your bastion host the
hacker can mount NFS or SMB sexports/shares and copy your files to his system
and perhaps sell the wanted data.

P.S. (I'm no hacker I only use my knowledge for good).

Raymond


> The Firewall HOWTO and some other sources that I've looked at emphasize that
> you should turn IP forwarding off in firewalls and (I believe) IP
> masquerading boxes as well.  In principle I understand that you should turn
> off all the services possible to secure a box.  My question is, what
> vulnerabilities does IP forwarding expose?

> For instance suppose you have an IP masquerading box with two nics -- one
> talking to a 192.168.x.y private network, and one with a public IP address.
> I can see how maybe a cracker could come send some packets to the public
> side of the masq box that appeared to come from an 192.168.x.y address...
> but I can't see how that would do a cracker any good.  And if I am guessing
> right and this is how a cracker would exploit IP forwarding, then is there a
> way to stipulate that packets from a 192.168.x.y address should be rejected
> by the publicly accessible NIC?

> Thanks in advance
> Don


 
 
 

IP forwarding in firewalls and masquerade boxes

Post by Paul Rusty Russel » Wed, 12 May 1999 04:00:00



> The Firewall HOWTO and some other sources that I've looked at emphasize that
> you should turn IP forwarding off in firewalls and (I believe) IP
> masquerading boxes as well.  In principle I understand that you should turn
> off all the services possible to secure a box.  My question is, what
> vulnerabilities does IP forwarding expose?

To do masquerading, you need IP forwarding ON.  No pass packet, no
masquerade.

Rusty.
--
Tridge, Raster, DaveM, Cort, maddog... Where will you be 9-11 July 1999?
                http://www.linux.org.au/projects/calu

 
 
 

1. IP Forwarding + IP Masquerading + Security

I have a Linux 2.0.36 Kernel running with IP Masquerading turned on and all
internal traffic being forwarded to the internet and masqueraded fine.
Here's my rc.firewall:

#!/bin/sh
#
# /etc/rc.d/rc.firewall, define the firewall configuration, invoked from
# /etc/rc.d/rc.local.
#
#Setup the firewall modules:
depmod -a
modprobe ip_masq_ftp
modprobe ip_masq_raudio
modprobe ip_masq_irc

#Setup the firwall rules:
ipfwadm -I -f
ipfwadm -I -p accept
ipfwadm -O -f
ipfwadm -O -p accept
ipfwadm -F -f
ipfwadm -F -p reject
# Masquerade from local net on local interface to anywhere.
ipfwadm -F -a masquerade -S 192.168.2.0/16 -D 0.0.0.0/0

This works great, but I am concerned about security. I do not run any
servers on the internal machines of the network (My Win98 box, and my wife's
iMac), but I'd like to know if this setup would allow any malicious users
into my network. It looks to me like only packets that originate from one of
my internal machines will be forwarded to the network and that all packets
will be accepted by the linux box. Am I vulnerable to "spoofing" or any
other cracker tricks?

TIA,

        Donley

2. Sendmail: Error Notification

3. ip forwarding? ip masquerading?

4. $$COULD YOU USE A LOTTA XTRA CASH?$$

5. Solaris 2.6 x86 and IP-masquerading or IP-forwarding?

6. arp request

7. IP protocols 50/51 through ip masquerading linux box ?

8. Cups vs. LprNG

9. Backup scripts, IP firewalling and IP masquerading

10. Kernel versions, IP firewalls, IP masquerading and stability

11. IP Firewall and IP Masquerading Problems

12. IP Masquerading: dynamic IP assignment beyond the firewall?

13. forwarding, masquerading, firewalling??????