IPChains question (SOLVED)

Derek Atkins warlord at MIT.EDU
Mon May 15 19:16:45 EDT 2000


Actually, Linux IP-Masq (i.e. NAT) does quite well with datagrams...
The way NAT works is that the NAT-box creates a mapping of
transport,external-IP,external-port,local-port -- so, it is possible
to have multiple streams will use the same 'local-port'.  Indeed,
trying to port-scan an ip-masq server wont show you anything about any
current flows (unless a flow is heading to your machine and you happen
to use the correct port to send the ping back to the NAT box).

The only way a port-scan will work from the outside is if you have an
AutoForward on the NAT.  AutoFW is used to forward a constant port to
an internal machine (for example, you may have your mail server
sitting behind the NAT box, so you forward port 25 through the NAT box
to your SMTP server).

-derek

Mike Bilow <mikebw at colossus.bilow.com> writes:

> I honestly don't understand the issue.  The masquerader should not make
> anything more valuable than if the target machine was itself directly on
> the public network, although -- depending upon how the masquerade is done
> -- the IP address seen by the target machine would be that of the
> masquerader rather than of the actual source machine.  An outside attacker
> could, for example, port scan the masquerader and find out what ports are
> in use for masquerading or anything else, but it would be hard to take
> over these ports without knowing quite a lot more about the instantaneous
> status of the masquerader adn what its ports really were reflecting.
> 
> There are two fundamentally different masquerading schemes, one using a
> kind of pass-through scenario and another using a more formalized Network
> Address Translation (NAT) scenario.  It stands to reason that the dynamic
> allocation of resources inherent in a pass-through scheme would lead to
> generally greater security vulnerability, but it is not immediately clear
> to me how that is specifically the case.  There are some peripheral
> issues, such as what happens if you elect to masquerade disconnected mode
> packets, such as UDP or ICMP datagrams.
> 
> -- Mike
> 
> 
> On 2000-05-15 at 12:11 -0400, Christoph Doerbeck A242369 wrote:
> 
> > I would agree that SSH is designed and engineered to be "safe", but my
> > original point was that by changing the firewall's IPCHAIN timeouts, you
> > are setting global values, not just those for SSH.  This could make
> > other port services masquaraded on the FW more vulnerable (T/F)?
> 
> 
> -
> Subcription/unsubscription/info requests: send e-mail with
> "subscribe", "unsubscribe", or "info" on the first line of the
> message body to discuss-request at blu.org (Subject line is ignored).

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord at MIT.EDU                        PGP key available
-
Subcription/unsubscription/info requests: send e-mail with
"subscribe", "unsubscribe", or "info" on the first line of the
message body to discuss-request at blu.org (Subject line is ignored).



More information about the Discuss mailing list