tech-security: Re: Odd ipf behaviour?

Subject: Re: Odd ipf behaviour?
To: Darren Reed <darrenr@reed.wattle.id.au>
From: Mason Loring Bliss <mason@acheron.middleboro.ma.us>
List: tech-security
Date: 09/21/1999 09:33:15
  by redmail.netbsd.org with SMTP; 21 Sep 1999 13:33:31 -0000
	by acheron.middleboro.ma.us (8.9.3/8.9.3) id JAA29391;
	Tue, 21 Sep 1999 09:33:15 -0400 (EDT)
Date: Tue, 21 Sep 1999 09:33:15 -0400
From: Mason Loring Bliss <mason@acheron.middleboro.ma.us>
To: Darren Reed <darrenr@reed.wattle.id.au>,
        Manuel Bouyer <bouyer@antioche.lip6.fr>
Cc: tech-security@netbsd.org
Subject: Re: Odd ipf behaviour?
Message-ID: <19990921093315.H490@acheron.middleboro.ma.us>
References: <19990919221430.L485@acheron.middleboro.ma.us> <19990920113942.A4576@antioche.lip6.fr> <19990920092544.R485@acheron.middleboro.ma.us> <19990920153611.A13646@antioche.lip6.fr> <19990920094607.U485@acheron.middleboro.ma.us> <19990920162343.C369@antioche.lip6.fr> <19990920131349.X485@acheron.middleboro.ma.us> <19990921135950.C4814@antioche.lip6.fr> <19990919221430.L485@acheron.middleboro.ma.us> <199909210941.TAA05599@avalon.reed.wattle.id.au>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
In-Reply-To: <199909210941.TAA05599@avalon.reed.wattle.id.au>

On Tue, Sep 21, 1999 at 07:41:19PM +1000, Darren Reed wrote:

> So there were no IP options set (IP header length of 20), but it is a
> SYN-ACK from port 80 (WWW) to port 2049 (NFS).

And I've learned more since yesterday. I learned that RPC services hop around,
and that filtering specific ports won't get 'em. Whee! But, that's a good
thing, as I've now got a fairly rabid default deny strategy in place.

On Tue, Sep 21, 1999 at 01:59:50PM +0200, Manuel Bouyer wrote:

> So it's either a deliberate agression, or somtheing strange with routes
> in your area that installed temporary routes to 10.0.0.x

Given that it's going to port 2049, I'd suspect aggression.

> Is your wire a  broadcast one (like ethernet) ?

MediaOne - BroadBand - ethernettish.

> Do you run mrouted ?

No.

The one thing I still want to be able to do is to filter packets that come in
on my outside interface and are destined for the internal network *before* NAT
translates them. Maybe this isn't needed, but it's something I'd like to see
happen. Is it possible? I've been scouring the docs to no avail. Basically,
if someone can somehow deliver a packet to my box that's not source routed but
that is aimed at an internal machine, it'll get through. This can only happen
on a really limited number of ports, but I don't want it to happen at all. :)

Being that it's a cable modem, I don't have a router sitting in-stream that
can do this. I suppose I could set up a dedicated firewall box between the
cable modem and my current firewall which could do this... I'd simply rather
do it locally on my currently-connected box.

-- 
    Mason Loring Bliss  mason@acheron.middleboro.ma.us  They also surf who
awake ? sleep : dream;  http://acheron.ne.mediaone.net  only stand on waves.