"Costantino" wrote: > OK, let me provide more info. > As I discovered, using a rule like the following:
> DNAT net fw:$FW_LAN_side:22 tcp 7805 > did not prevent an attacker from going through my Shorewall firewall by > issuing a command equivalent to the following: > wget > "http://<IP-addr>:7805/?-d%20allow_url_include%3DOn+-d%20auto_prepend_file%3D../../../../../../../../../../../../etc/passwd%00%20-n/?-d%20allow_url_include%3DOn+-d%20auto_prepend_file%3D../../../../../../../.../../../../../etc/passwd%00%20-n > HTTP/1.1" 302 527 "-" "curl/7.19.4 (i386-redhat-linux-gnu) libcurl/7.19.4 > NSS/3.12.2.0 zlib/1.2.3 libidn/0.6.14 libssh2/0.18" > as I could discover in the /var/log/access.log log file. > Hence my question about whether there is a feature that allows to associate a > port to a specific process running on the firewall. > In this case, for instance, dedicating port 7805 to process sshd. In the rule you've given, the packet will be delivered to the service listening on port 22 (ie your SSH server) - it will not be delivered to any other service. SSH should simply discard the packet and "not making sense". ------------------------------------------------------------------------------ Master Java SE, Java EE, Eclipse, Spring, Hibernate, JavaScript, jQuery and much more. Keep your Java skills current with LearnJavaNow - 200+ hours of step-by-step video tutorials by Java experts. SALE $49.99 this month only -- learn more at: http://p.sf.net/sfu/learnmore_122612 _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
