[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: ipchains
On Mon, Dec 25, 2000, Alon Oz wrote about "Re: ipchains":
> The ICQ protocol reveals the real IP of the computer running the client,
> so even if you use GNU replacements it doesn't matter.
So what? Unless you have a completely-proxy-firewall (block everything and
allow only application proxies), whatever packets you let through (be they http,
ftp, or icq) carry the IP address of the machine behind the firewall. But
so what? If you use globally addressable IP addresses, face the consequences...
ARIN or RIPE will contain your address range and attackers can use that to
try the attack on every one of your addresses; Alternatively, if you use NAT
hen all outgoing packets will be given one IP address anyway, and your
argument is (at least as I see it) false.
Case in point:
I set up a firewall at home that is delibratly open to ICQ (through-server
messages only). The firewall does NAT for a couple of machines, each of them
with a different IP address (from a reserved area of the address space).
Sure enough, _no_ packet is ever sent out of the firewall with either of
the "secret" addresses, so that ICQ will only know the firewall's (publicly
known) address.
> This "feature" opens a window for "crackers" to use various firewall
> penetrating/piercing techniques.
This seems to me like "security by obscurity": all the crackers know is the
IP address of ICQ using machines. How to use that in an attack that isn't
possible by simply attacking all your addresses is beyond me.
--
Nadav Har'El | Monday, Dec 25 2000, 28 Kislev 5761
nyh@math.technion.ac.il |-----------------------------------------
Phone: +972-53-245868, ICQ 13349191 |I had a lovely evening. Unfortunately,
http://nadav.harel.org.il |this wasn't it. - Groucho Marx
=================================================================
To unsubscribe, send mail to linux-il-request@linux.org.il with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail linux-il-request@linux.org.il