On Sun, Apr 02, 2000 at 03:12:06PM +0200, Christian Hammers wrote: > > Wrong. spf does monitor the outgoing packets and install a backward rule. > A host behind a masquerading gateway wouldn't be reachable if not the > gateway monitors outgoing packats and installs a backward rule, too, > although here it maps a local (gateway) port to an intern address+port.
Yes, of course. This is not the kinf of rule I was talking about. spf takes care of ipchain rules. > In this case the masquerading software does something similar as the > spf software. In some sense yes. But the function is quite different. Let's use an example. My DNS server shall have the IP number 172.26.14.7 with my firewall masquerading this. So the following spf rules allows it to work: -A input -j ACCEPT -i eth1 -s 172.26.14.7 1024:65535 -d 0.0.0.0/0 domain -p udp -A forward -j MASQ -s 172.26.14.7 1024:65535 -d 0.0.0.0/0 domain -p udp Let's say I block everything else. So my server is able to send requests but no answer will be able to come back in. You need another input rule that allows input from the server accessed. And that rule is created by spf. The ip masquerading code is not to do that. Once the packets were send out there is an open entry for udp packets. > What harm can a packet without SYN flag have? AFAIK it can only fiddle I think there was an exploit some time ago that send send lots of ACK packets, wasn't it? > around with the ip-stack implementation - which has to be stable anyways. That's the reasoning the upstream maintainer of spf uses to explain why he does allow all established tcp packets in. I do not think this is a good way of running a secure system. That's why I configure spf for Debian slight�y different. > udp: > ok, no syn flag here (but it's normally only used for DNS...) Yes, but check bugtraq for a udp masquerading design flaw. > icmp: > what use does spf bring here? If you want to secure you host you deny > everything but echo/echo reply, dest unreachable, source quench, redirect > and time exceeded. Apart from the first on (->ping) you can't have any > statefullness anyways. Right. It's only echo replies that the statefulness is used for. But I for one like to have my system as tight as possible. Who knows maybe there's already an exploit using echo reply. :-) > I thought that spf is mainly used for protecting against *incoming* > packets. Here you can deny everything below 1024 except for the few > services you need. Then the only way of attacking could be spoofed packets > that do not belong to any real connection. But there packages should be > discarded by the normal IP stack, too. You can of course use spf on ports < 1024 for incoming connections. But then it won't bring you anything over ipchains since you have to leave the port open anyways. For instance if you have port SMTP open to the world what can spf do? It cannot block anything, except the spoofed packets you talked about. And if you really trust your tcp stack that'll do the same. Michael -- Michael Meskes | Go SF 49ers! Th.-Heuss-Str. 61, D-41812 Erkelenz | Go Rhein Fire! Tel.: (+49) 2431/72651 | Use Debian GNU/Linux! Email: [email protected] | Use PostgreSQL!
