On Mon, Dec 25, 2000, Alon Oz wrote about "Re: ipchains":
> The ICQ protocol reveals the real IP of the computer running the client,
> so even if you use GNU replacements it doesn't matter.
So what? Unless you have a completely-proxy-firewall (block everything and
allow only application proxies), whatever packets you let through (be they http,
ftp, or icq) carry the IP address of the machine behind the firewall. But
so what? If you use globally addressable IP addresses, face the consequences...
ARIN or RIPE will contain your address range and attackers can use that to
try the attack on every one of your addresses; Alternatively, if you use NAT
hen all outgoing packets will be given one IP address anyway, and your
argument is (at least as I see it) false.
Case in point:
I set up a firewall at home that is delibratly open to ICQ (through-server
messages only). The firewall does NAT for a couple of machines, each of them
with a different IP address (from a reserved area of the address space).
Sure enough, _no_ packet is ever sent out of the firewall with either of
the "secret" addresses, so that ICQ will only know the firewall's (publicly
known) address.
> This "feature" opens a window for "crackers" to use various firewall
> penetrating/piercing techniques.
This seems to me like "security by obscurity": all the crackers know is the
IP address of ICQ using machines. How to use that in an attack that isn't
possible by simply attacking all your addresses is beyond me.
--
Nadav Har'El | Monday, Dec 25 2000, 28 Kislev 5761
[EMAIL PROTECTED] |-----------------------------------------
Phone: +972-53-245868, ICQ 13349191 |I had a lovely evening. Unfortunately,
http://nadav.harel.org.il |this wasn't it. - Groucho Marx
=================================================================
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]
