FW: Default configuration in WatchGuard Firewall

Sun, 5 Sep 1999 23:21:06 -0700 

Sorry about the crosspost...

I don't know if it's just me, but is this post is correct it seems like a
much more serious problem than Mr Lazaro indicates...

If the Watchguard if performing NAT on a dynamic basis (only possible way if
it's just one external IP, right?) then why the hell is it routing packets
for random internal addresses? In other words, if my host (say 192.168.1.4)
hasn't sent any traffic to the outside world, I DON'T expect a packet to
arrive at the firewall, ask for my machine, and have a red carpet rolled
out.

Someone reassure me that this box is either misconfigured or that the poster
is Just Making It Up?

Cheers,

--
Ben Nagy
Network Consultant, CPM&S Group of Companies
PGP Key ID: 0x1A86E304  Mobile: +61 414 411 520

-----Original Message-----
From: Alfonso Lazaro [mailto:[EMAIL PROTECTED]]
Sent: Thursday, September 02, 1999 8:46 PM
To: [EMAIL PROTECTED]
Subject: Default configuration in WatchGuard Firewall


        I have found a misconfiguration in the default configuration of
Watchguard Firewall.

        By default it appends a rule that it accepts pings from any to any.
        
        So if our firebox is defending our internal network ( 192.168.x.x
... )
and our WG Firewall is a proxie with an external ip in internet (
100.100.100.100 hipotetic ip address ) the atacker can change his/her routes
like so :

        # route add -net 192.168.0.0 netmask 255.255.255.0 gw
100.100.100.100
        
        # ping 192.168.1.1
        PING 192.168.1.1 (192.168.1.1): 56 data bytes
        64 bytes from 192.168.1.1: icmp_seq=0 ttl=251 time=514.0 ms
        
        ^C
        
        # ping 192.168.1.2
        PING 192.168.1.2 (192.168.1.2): 56 data bytes
        64 bytes from 192.168.1.2: icmp_seq=0 ttl=251 time=523.0 ms

        ^C
        
        and so on ...

        the atacker can now discovers internal network ip and atack them

        # ping -f 192.168.1.1


        Solution is easy ... do not let pings to internal network.
        

--
Saludos.

===========================================================

   Alfonso Lazaro Tellez        [EMAIL PROTECTED]
   Analista de seguridad        
   IP6Seguridad                 http://www.ip6seguridad.com     
   Tfno: +34 91-3430245         C\Alberto Alcocer 5, 1 D        
   Fax:  +34 91-3430294         Madrid ( SPAIN )
===========================================================

-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]

Reply via email to