Spoofing [ns_conn peeraddr] at the IP level is difficult if your platform has "random enough" IP initial sequence numbers, and can be blocked at your router with an explicit rule to drop inbound packets on the WAN interface that have a source address on your LAN.
There has also been talk on the list of having [ns_conn peeraddr] return the address in the "X-Forwarded-For:" header (if one exists). Although nothing has been committed yet, if this change is made it would render your security trivially breakable. If you're running on current AOLServer 4 builds I'd keep an eye on the CVS commit list for any further mention of this.
cheers
Russell
On Wednesday, August 20, 2003, at 12:31 AM, Andrew Piskorski wrote:
My Linux server is behind a router/firewall doing NAT.
I have a page that accepts requests, and the only valid originators of that request are on the local network (actually they happen to be on the same box currently), also behind the router. However, the AOLserver serving that page also does other stuff and therefore is accessible from the Internet - the NAT router forwards the requests.
I realize it's not particularly good security design, but at least for the initial version of this page it would be awfully convenient if I could simply trust all requests originating on the LAN, and deny any and all requests coming in from the router. In this case, is it safe to trust the value of [ns_conn peeraddr]? Or could a client outside the router somehow spoof the peer address to make it look like the request is coming from a machine on my LAN?
Hm, alternately, maybe I should have my AOLserver listen on a second IP address which is ONLY accessible from my LAN?
-- Andrew Piskorski <[EMAIL PROTECTED]> http://www.piskorski.com
-- AOLserver - http://www.aolserver.com/
To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
-- AOLserver - http://www.aolserver.com/
To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
