Hi,
> > It looks like the Netfilter has problems with the NATed
> > icmp-administration messsages. The original IP can be leaked into the
> > public network from the protected area.
[...]
>
> don't forget that ICMP error messages only quote the first 64 bytes of the
> original packet. Adding up IP and TCP headers (both 20 bytes without
> options), you only have 24 bytes of original payload. This might be somewhat
> more in UDP though due to its shorter header.
>
> A full length PORT command is 28 bytes, though a common scenario fits into
> 24 bytes.
>
> I see two solutions:
> * truncate the packet, and remove the payload area of deNATed ICMP messages,
> if the inner header is either TCP or UDP (because in this case we _KNOW_
> what is header and what is payload)
> * don't use packet filtering if separating the two zones is so important
>
> The first one could also be implemented using an ICMPTRIM target in your
> mangle table, which could also trim ICMP echo request/reply payloads. (which
> can easily be used to tunnel a whole IP stack through a firewall)
Ok, I didn't know the IPv4-ICMP RFC. I just sent a special packet with
TCP payload and I got back the payload. It was only a first check.
(In IPv6-ICMP the length-limit is ~1298 bytes, ...)
kisza
--
Andras Kis-Szabo Security Development, Design and Audit
-------------------------/ Zorp, NetFilter and IPv6
[EMAIL PROTECTED] /-----Member of the BUTE-MIS-SEARCHlab------>
