All of lore.kernel.org
 help / color / mirror / Atom feed
* empty filter on FORWARD chain with rp_filter means safe right?
@ 2010-10-08  4:31 Scott Mcdermott
  2010-10-08  4:40 ` Payam Chychi
  2010-10-08 14:16 ` Pascal Hambourg
  0 siblings, 2 replies; 5+ messages in thread
From: Scott Mcdermott @ 2010-10-08  4:31 UTC (permalink / raw)
  To: netfilter

Hello,

I encountered a system today with two attached
networks, one public and the other RFC1918.  The box
had ip_foward=1, FORWARD chain empty, policy ACCEPT.
rp_filter was set on both the interfaces.

Now if I were somewhere off the public interface, but
many hops away, there is no possible way to get packets
to the RFC1918 side of the box is there?  Because I
have no way to actually route the packets to the
gateway with destination addresses on the far side.  So
actually this box is safe from malicious activity, even
though there is an ACCEPT policy on FORWARD and it's
set with routing enabled.  Is this correct?

Now if instead I have control of a station on the same
segment as the gateway's public interface, or if I
control routers in-between and can set up routes to get
packets to the box with the internal IPs as
destinations, then it's a different story.  But in the
common case of having ISPs in between (which will drop
my packets with RFC1918 destinations), it's not
possible to get packets to the gateway's internal
network except if they NAT some of them for me.

Please help me to see if my understanding is correct.

Thanks.

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: empty filter on FORWARD chain with rp_filter means safe right?
  2010-10-08  4:31 empty filter on FORWARD chain with rp_filter means safe right? Scott Mcdermott
@ 2010-10-08  4:40 ` Payam Chychi
  2010-10-08  5:02   ` Jan Engelhardt
  2010-10-08 14:16 ` Pascal Hambourg
  1 sibling, 1 reply; 5+ messages in thread
From: Payam Chychi @ 2010-10-08  4:40 UTC (permalink / raw)
  To: Scott Mcdermott; +Cc: netfilter

Thats correct Scott,
in order for any systems to abuse your setup they will need to be 
directly connected to a segment that has knowledge of valid route to the 
end system... meaning if a computer is 2 hops away and the router in 
between has no knowledge of how to get to your private rfc1918 then pkts 
get dropped.

Keep in mind that as ipv4 exhaustion gets extreme, some isps will use 
rcf1918 blocks and route them either in their IGP or even EGP (aka 
internet routes)...

-Payam
Network Engineer / Security Specialist



Scott Mcdermott wrote:
> Hello,
>
> I encountered a system today with two attached
> networks, one public and the other RFC1918.  The box
> had ip_foward=1, FORWARD chain empty, policy ACCEPT.
> rp_filter was set on both the interfaces.
>
> Now if I were somewhere off the public interface, but
> many hops away, there is no possible way to get packets
> to the RFC1918 side of the box is there?  Because I
> have no way to actually route the packets to the
> gateway with destination addresses on the far side.  So
> actually this box is safe from malicious activity, even
> though there is an ACCEPT policy on FORWARD and it's
> set with routing enabled.  Is this correct?
>
> Now if instead I have control of a station on the same
> segment as the gateway's public interface, or if I
> control routers in-between and can set up routes to get
> packets to the box with the internal IPs as
> destinations, then it's a different story.  But in the
> common case of having ISPs in between (which will drop
> my packets with RFC1918 destinations), it's not
> possible to get packets to the gateway's internal
> network except if they NAT some of them for me.
>
> Please help me to see if my understanding is correct.
>
> Thanks.
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>
>   


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: empty filter on FORWARD chain with rp_filter means safe right?
  2010-10-08  4:40 ` Payam Chychi
@ 2010-10-08  5:02   ` Jan Engelhardt
  2010-10-08 16:18     ` Payam Chychi
  0 siblings, 1 reply; 5+ messages in thread
From: Jan Engelhardt @ 2010-10-08  5:02 UTC (permalink / raw)
  To: Payam Chychi; +Cc: Scott Mcdermott, netfilter


On Friday 2010-10-08 06:40, Payam Chychi wrote:

> Thats correct Scott,
> in order for any systems to abuse your setup they will need to be directly
> connected to a segment that has knowledge of valid route to the end system...
> meaning if a computer is 2 hops away and the router in between has no knowledge
> of how to get to your private rfc1918 then pkts get dropped.
>
> Keep in mind that as ipv4 exhaustion gets extreme, some isps will use rcf1918
> blocks and route them either in their IGP or even EGP (aka internet routes)...

Internally yes, but externally no. And it's not really RFC1918 routes being
"used in the Internet" - instead, it is "enlarging our NAT domain". (Mobile
UMTS/HSDPA providers do this in Germany already.)

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: empty filter on FORWARD chain with rp_filter means safe right?
  2010-10-08  4:31 empty filter on FORWARD chain with rp_filter means safe right? Scott Mcdermott
  2010-10-08  4:40 ` Payam Chychi
@ 2010-10-08 14:16 ` Pascal Hambourg
  1 sibling, 0 replies; 5+ messages in thread
From: Pascal Hambourg @ 2010-10-08 14:16 UTC (permalink / raw)
  To: netfilter

Hello,

Scott Mcdermott a écrit :
> 
> I encountered a system today with two attached
> networks, one public and the other RFC1918.  The box
> had ip_foward=1, FORWARD chain empty, policy ACCEPT.
> rp_filter was set on both the interfaces.
> 
> Now if I were somewhere off the public interface, but
> many hops away, there is no possible way to get packets
> to the RFC1918 side of the box is there?  Because I
> have no way to actually route the packets to the
> gateway with destination addresses on the far side.  So
> actually this box is safe from malicious activity, even
> though there is an ACCEPT policy on FORWARD and it's
> set with routing enabled.  Is this correct?

No, it is wrong.
If all the routers on the path are compromised or misconfigured, they
could forward such packets to the box.
Unlikely ? Yes. Impossible ? No.

Not to mention any IP-IP encapsulation tunnel that would allow the
transport of a private packet over the public internet.

Do not have your security rely on someone else.

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: empty filter on FORWARD chain with rp_filter means safe right?
  2010-10-08  5:02   ` Jan Engelhardt
@ 2010-10-08 16:18     ` Payam Chychi
  0 siblings, 0 replies; 5+ messages in thread
From: Payam Chychi @ 2010-10-08 16:18 UTC (permalink / raw)
  To: Jan Engelhardt; +Cc: Scott Mcdermott, netfilter

Jan Engelhardt wrote:
> On Friday 2010-10-08 06:40, Payam Chychi wrote:
>
>   
>> Thats correct Scott,
>> in order for any systems to abuse your setup they will need to be directly
>> connected to a segment that has knowledge of valid route to the end system...
>> meaning if a computer is 2 hops away and the router in between has no knowledge
>> of how to get to your private rfc1918 then pkts get dropped.
>>
>> Keep in mind that as ipv4 exhaustion gets extreme, some isps will use rcf1918
>> blocks and route them either in their IGP or even EGP (aka internet routes)...
>>     
>
> Internally yes, but externally no. And it's not really RFC1918 routes being
> "used in the Internet" - instead, it is "enlarging our NAT domain". (Mobile
> UMTS/HSDPA providers do this in Germany already.)
>
>   
Perhaps re-look at what rfc1918 is... also as you can read above i 
stated IGP which is internal routing and is not to increase NAT domains 
and with a "even" EGP which would be considered external to your network 
and as you can see the latter was meant for extreme cases... but what do 
i know


^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2010-10-08 16:18 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2010-10-08  4:31 empty filter on FORWARD chain with rp_filter means safe right? Scott Mcdermott
2010-10-08  4:40 ` Payam Chychi
2010-10-08  5:02   ` Jan Engelhardt
2010-10-08 16:18     ` Payam Chychi
2010-10-08 14:16 ` Pascal Hambourg

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.