rescue at sunhelp.org
Thu Apr 19 02:31:41 CDT 2001
It's true that the first router should drop the packets, but that is not
what will generally happen. A router is stupid, and most small routers
don't have full bgp feeds. So when most non-core routers get a packet that
has a destination to one of the non-routable blocks ( 192.168.x.x
172.16-32.x.x 10.x.x.x ) they just send it to their default gateway. It is
a common mistake that people make, thinking that all packets that might get
out will be dropped. So any packet might go several hops before it is
dropped. The packet might be sniffed... I have seen two times where
machines were hacked because of misconfigured firewalls and this
misconception of packets getting dropped. The first time was with a two
machines that shared an Ethernet segment. The hacker just added a route to
192.168.1.x to through the real ip address. Then they could talk to all of
the machines behind the firewall. The second time a hacker got admin access
on a PortMaster ( a dialup server ) and they did the same thing, just added
a route. All of this can be avoided quite easily. You just need to add a
rule to drop all packets coming from outside of the firewall that have a
destination for behind the firewall. Not hard, just something a lot of
people don't think about...
From: rescue-admin at sunhelp.org [mailto:rescue-admin at sunhelp.org]On
Behalf Of Bill Bradford
Sent: Thursday, April 19, 2001 12:14 AM
To: rescue at sunhelp.org
Subject: Re: [SunRescue] Help!
On Wed, Apr 18, 2001 at 11:34:38PM -0500, Patrick Giagnocavo wrote:
> Why not check out OpenBSD btw?
Because getting pptpd/PoPToP/etc should be easier on a Linux box.
I'd prefer OBSD, but I'm going with what I can get working in the
shortest amount of time.
> Isn't the main point that since the NAT addresses are not routable, that
> chances of intrusion are much much smaller? The first router the packet
> hits will drop anything in 192.168.x.x .
mrbill at mrbill.net
rescue maillist - rescue at sunhelp.org
More information about the rescue