Re: [suse-security] host.deny and spoofing
Hi, -- 127.0.0.1 is localhost, like u said. How could sumeone establish a three way handshake with a spoofed ip? Especially with 127.0.0.1!! -- Do you really think a router or firewall forwards ips like 127.0.0.1? Think about it.
Hi all,
here a question
if i do a hosts.deny all and a host.allow imapd localhost could someone spoofing his ip to 127.0.0.1 still access the imap server?
thanks Evert
------------------------------------ Apprearance deceives, nature doesn't ------------------------------------
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
-- Mark Ruth Unix System Administrator New York, ksh-2@markruth.2y.net GMX - Die Kommunikationsplattform im Internet. http://www.gmx.net
Mark Ruth wrote:
-- Do you really think a router or firewall forwards ips like 127.0.0.1?
yes. If some big german ISP route a spoofed packed from a webserver to my home firewall, i REALLY think that they forwards ips like 127.x.x.x... if you don't belive, i can give you rejects for 192.168.x.x, 10.x.x.x, 127.x.x.x and so one ;-) so, DON'T belive that others will do things for you.. -- intraDAT AG http://www.intradat.com Wilhelm-Leuschner-Strasse 7 Tel: +49 69-25629-0 D - 60329 Frankfurt am Main Fax: +49 69-25629-256 Junk mail is war. RFCs do not apply.
On Monday 04 February 2002 12:30, you wrote:
Mark Ruth wrote:
-- Do you really think a router or firewall forwards ips like 127.0.0.1?
yes. If some big german ISP route a spoofed packed from a webserver to my home firewall, i REALLY think that they forwards ips like 127.x.x.x... if you don't belive, i can give you rejects for 192.168.x.x, 10.x.x.x, 127.x.x.x and so one ;-)
so, DON'T belive that others will do things for you..
I agree, so many ISPs use default routes, and I've seen routing loops caused by this in quite well known ones, after networks have been returned to them. There is also the nasty business of source routes in packets. Most ISPs take a head in the sand approach and pass the buck on spoofing issues. Few check your outward bound packets for validity, as it costs time and money to get right. It is possible to gain some extra protection, by enabling ident lookup's in hosts.allow and rejecting any connections, from your internal networks that fail to be verified. It can't be relied upon to permit access, but a detected SPOOF is a strong indication that something is wrong. Rob
On Monday 04 February 2002 05:37 am, Robert Davies wrote:
If some big german ISP route a spoofed packed from a webserver to my home firewall, i REALLY think that they forwards ips like 127.x.x.x... if you don't belive, i can give you rejects for 192.168.x.x, 10.x.x.x, 127.x.x.x and so one ;-)
so, DON'T belive that others will do things for you..
I agree, so many ISPs use default routes, and I've seen routing loops caused by this in quite well known ones, after networks have been returned to them. There is also the nasty business of source routes in packets.
I'm counfused. How would one go about routing a packet to 127.0.0.1? Would the router not get its own packet? -- _________________________________ John Andersen / Juneau Alaska
Il 08:13, martedì 5 febbraio 2002, John Andersen ha scritto:
On Monday 04 February 2002 05:37 am, Robert Davies wrote:
If some big german ISP route a spoofed packed from a webserver to my home firewall, i REALLY think that they forwards ips like 127.x.x.x... if you don't belive, i can give you rejects for 192.168.x.x, 10.x.x.x, 127.x.x.x and so one ;-)
so, DON'T belive that others will do things for you..
I agree, so many ISPs use default routes, and I've seen routing loops caused by this in quite well known ones, after networks have been returned to them. There is also the nasty business of source routes in packets.
I'm counfused. How would one go about routing a packet to 127.0.0.1? Would the router not get its own packet?
It does not route to 127.0.0.1. It routes FROM 127.0.0.1, sometimes. Praise
On Tuesday 05 February 2002 11:44, Praise wrote:
Il 08:13, martedì 5 febbraio 2002, John Andersen ha scritto:
On Monday 04 February 2002 05:37 am, Robert Davies wrote:
It does not route to 127.0.0.1. It routes FROM 127.0.0.1, sometimes.
The kernel's rp_filter should detect this, it's turned on without me taking action on my SuSE system (perhaps by the firewall scripts though I haven't noticed them setting this). Previously with Red Hat 6, I had to enable it myself like this : # Enable Anti-Spoof protection - sets source route verification for f in all default eth0 lo do echo 1 > /proc/sys/net/ipv4/conf/$f/rp_filter done # Disable on internal interfaces, as we can have asymmetric routing for f in eth1 eth2 do echo 0 > /proc/sys/net/ipv4/conf/$f/rp_filter done Now I just checked it under SuSE dialup system using SuSE personal firewall I have : oak:/work/dist/firewall # for iface in /proc/sys/net/ipv4/conf/*/rp_filter
do echo "$iface `cat $iface`" done
/proc/sys/net/ipv4/conf/all/rp_filter 1 /proc/sys/net/ipv4/conf/default/rp_filter 1 /proc/sys/net/ipv4/conf/eth0/rp_filter 1 /proc/sys/net/ipv4/conf/eth1/rp_filter 1 /proc/sys/net/ipv4/conf/lo/rp_filter 1 /proc/sys/net/ipv4/conf/ppp0/rp_filter 1 Rob
participants (5)
-
John Andersen
-
Mark Ruth
-
Praise
-
Robert Davies
-
Sven Michels