> On Dec 6, 2019, at 9:18 AM, Jason A. Donenfeld wrote:
>
> Hi Vasili,
>
> On Thu, Dec 5, 2019 at 10:28 PM Vasili Pupkin wrote:
>> I've just figured out that the same effect can also be achieved with
>> iptables:
>> iptables -t filter -I INPUT -m addrtype --limit-iface-in ! --dst-type
>> LOC
On 06.12.2019 18:18, Jason A. Donenfeld wrote:
But for the sake of wg-quick
the filter can be enables for wireguard interface only to be sure it
wouldn't break anything else
How do you propose this works? That'd require adding -d, right? In
that case we're back to more or less the original r
On 06.12.2019 19:12, Jordan Glover wrote:
But nft rule won't be visible from iptables tools like iptables-save,
right? This may be confusing for people who still use iptables for
setting up firewall on their systems.
Right. And for those using NFT, they will see a strange rule in their
defaul
On Friday, December 6, 2019 4:03 PM, Vasili Pupkin wrote:
> On 06.12.2019 18:08, Jason A. Donenfeld wrote:
>
> > On Fri, Dec 6, 2019 at 4:06 PM Jordan Glover
> > golden_mille...@protonmail.ch wrote:
> >
> > > On Thursday, December 5, 2019 8:24 PM, Jason A. Donenfeld ja...@zx2c4.com
> > > wrote:
On 06.12.2019 18:08, Jason A. Donenfeld wrote:
On Fri, Dec 6, 2019 at 4:06 PM Jordan Glover
wrote:
On Thursday, December 5, 2019 8:24 PM, Jason A. Donenfeld
wrote:
If we can make nft coexistance work reliably, perhaps we can run the
nft rule on systems where the nft binary simply exists.
Hi Vasili,
On Thu, Dec 5, 2019 at 10:28 PM Vasili Pupkin wrote:
> I've just figured out that the same effect can also be achieved with
> iptables:
> iptables -t filter -I INPUT -m addrtype --limit-iface-in ! --dst-type
> LOCAL -j DROP
Neat trick, but it still requires this to run on all incoming
On Fri, Dec 6, 2019 at 4:06 PM Jordan Glover
wrote:
>
> On Thursday, December 5, 2019 8:24 PM, Jason A. Donenfeld
> wrote:
>
> >
> > If we can make nft coexistance work reliably, perhaps we can run the
> > nft rule on systems where the nft binary simply exists.
> >
>
> Will this work correctly o
Hi all,
So the nft rule worked flawlessly on our Ubuntu machines, but I'm
having trouble applying the rule in Manjaro (undoubtedly user error).
I'll try again on some different machines in the lab.
Addressing zrm's question about carrying out the first two parts of the
attack with rp_filter is st
On Thursday, December 5, 2019 8:24 PM, Jason A. Donenfeld
wrote:
>
> If we can make nft coexistance work reliably, perhaps we can run the
> nft rule on systems where the nft binary simply exists.
>
Will this work correctly on systems where nft binary exist but only
iptables rules are used?
Jor
On 05.12.2019 23:24, Jason A. Donenfeld wrote:
Hey Vasili,
On Thu, Dec 5, 2019 at 8:50 PM Vasili Pupkin wrote:
Isn't it enough to just enforce Strong Host Model, i.e. a host won't
respond from it's IP that is not facing the interface. If a host is
connected to two subnets 10.1.x.x and 10.2.x
Hey Vasili,
On Thu, Dec 5, 2019 at 8:50 PM Vasili Pupkin wrote:
> Isn't it enough to just enforce Strong Host Model, i.e. a host won't
> respond from it's IP that is not facing the interface. If a host is
> connected to two subnets 10.1.x.x and 10.2.x.x and have two IP 10.1.0.1
> and 10.2.0.1, it
On 12/5/19 14:13, Jason A. Donenfeld wrote:
Hey folks,
William unembargoed his nice vuln this week:
https://seclists.org/oss-sec/2019/q4/122
It appears to affect basically most common unix network stacks. This
isn't a WireGuard vulnerability, but rather something in the routing
table code and/
Isn't it enough to just enforce Strong Host Model, i.e. a host won't
respond from it's IP that is not facing the interface. If a host is
connected to two subnets 10.1.x.x and 10.2.x.x and have two IP 10.1.0.1
and 10.2.0.1, it will just drop all the packets sent to 10.1.0.1 that
came from the in
Hey folks,
William unembargoed his nice vuln this week:
https://seclists.org/oss-sec/2019/q4/122
It appears to affect basically most common unix network stacks. This
isn't a WireGuard vulnerability, but rather something in the routing
table code and/or TCP code on affected operating systems. How
14 matches
Mail list logo