On 01/09/2013 02:04 AM, Costantino wrote: > OK, let me provide more info. > > > > As I discovered, using a rule like the following: > > > > DNAT net fw:$FW_LAN_side:22 tcp 7805 > > > > did not prevent an attacker from going through my Shorewall firewall by > issuing a command equivalent to the following: > > > > wget > "http://<IP-addr>:7805/?-d%20allow_url_include%3DOn+-d%20auto_prepend_file%3D../../../../../../../../../../../../etc/passwd%00%20-n/?-d%20allow_url_include%3DOn+-d%20auto_prepend_file%3D../../../../../../../../../../../../etc/passwd%00%20-n > HTTP/1.1" 302 527 "-" "curl/7.19.4 (i386-redhat-linux-gnu) > libcurl/7.19.4 NSS/3.12.2.0 zlib/1.2.3 libidn/0.6.14 libssh2/0.18" > > > > as I could discover in the /var/log/access.log log file. > > Hence my question about whether there is a feature that allows to > associate a port to a specific process running on the firewall. > > In this case, for instance, dedicating port 7805 to process sshd. >
No -- A packet filter like Netfilter only deals with packet headers, not the application payload. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Master Java SE, Java EE, Eclipse, Spring, Hibernate, JavaScript, jQuery and much more. Keep your Java skills current with LearnJavaNow - 200+ hours of step-by-step video tutorials by Java experts. SALE $49.99 this month only -- learn more at: http://p.sf.net/sfu/learnmore_122612
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
