> This pertains to anyone filtering connections to port 81 on > their raqs via external firewalls... > > I picked up an interesting utility today called fpipe. http://www.foundstone.com/rdlabs/proddesc/fpipe.html btw > This utility allows the user to connect to a server through an open > port on a firewall... say port 80. Once the connection is extablished, > the program enables the user to connect to any port on the server, > regardless of external firewall rules. Not quite, as far as I can tell from having read the text at the URL above. > I decided to try a little experiment. I have a raq3 located behind a > sonicwall soho firewall. The raq is used only as an email > server, so only ports 25 and 110 are open on the firewall. This is setup > using port forwarding, as the raq does not have a public IP address. OK. > I fired up fpipe and set the starting connection to port 25, > and the final source connection to port 81. That means I could connect to > the server through the firewall on port 25, and then fpipe would allow > me to forward requests to port 81 on the server. Not according to the text on the webpage. fpipe allows you to specify the *source* port of connections, and the destination port, if you point packets at whichever host it's running on and at the port it's listening on ( -s, -r and -l respectively ). It doesn't allow you to connect to that port on the *remote* server you're trying to connect to, and then somehow jump to a different port. ( if it did, your comment of "scary" is lacking the necessary 100 exclamation marks ) > The actual client connection from a client program to a server is made > locally. Fpipe is configured to listen on a local port on the > client, and then it forwards the client connection to the remote server. > I setup fpipe to listen on port 100. The command line for this is: > fpipe -l 100 -s 25 -r 81 <ip address> > > I then typed this into my web browser: > http://localhost:100/.cobalt/sysManage/index.html > > And guess what I got? The cobalt user login.... scary. Yes, but not for the reasons you imagine, as far as I can tell. One of two things is happening here, I think, EITHER the IP address you're connecting from is allowed to connect through the firewall to the admin server anyway, so all fpipe is doing is sending those packets from a low source port. OR for some reason, packets with a source port of 25 are traversing the firewall rules without the destination port being checked. That is a bad thing. "EITHER" is an oversight on your part, no big deal, "OR" is scary, well found :) > I would suggest that anyone interested in filtering port 81 > on their raqs do so with local ipchains rules, and not just an external firewall. This is worth doing anyway, strength in depth and all that. ( Isn't Sonicwall SOHO ipchains with fluffy add-ons? I should know this...... ) I haven't played with the software myself, but Kevin's description piqued (sp?) my interest so I've spent a few minutes reading up. So if I'm obviously wrong proof would be appreciated, otherwise there is *something* interesting going on here, so more information is welcome, especially tcpdumps off the Cobalt, or even netstat output. BTW - I'm presuming fpipe works on Windows only as it's a Foundstone tool, doesn't "fragrouter" do something similar for unix? -- Nick Drage - Security Architecture - Demon Internet - Thus PLC As of Wed 13/06/2001 at 16:00 This computer has been up for 2 days, 4 hours, 38 minutes, 54 seconds. _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
