Jan Engelhardt wrote: > On Sunday 2009-12-27 09:11, Роман Цисык wrote: >> А questionable point exists in the conntrack expectations design. What >> happens if somebody opened fake outgoing connection which would match >> conntrack helpers' signatures? Conntrack module will be able to add >> records in expectation table. >> Unfortunately, all users from 192.168.0.0/24 will have problems with >> an active FTP. Users will force administrators to read boring manuals >> as alredy founded and load nf_connrack_ftp + nf_nat_ftp to "overcome" >> the problem. >> Next, if malicious software would initiate connection as in the >> previous case, NAT subsystem will forward (y << 8 | z) port to outside >> by changing source PORT command and, in fact, forwarding a port >> inside. So, if we something would open connections to remote 21 port >> and send our PORT commands, we can transparently open ANY port from >> INTERNAL server to the public Internet, regardless NAT. Hereinafter, >> I'll call this "conntrack back-connection issue". > > That is what helpers are supposed to do. If that poses a security risk, > to your network, I advise not to use them. In case of FTP that is easily > worked around by using passive ftp. It should also be pointed out that helpers don't allow anything, the rule accepting RELATED packets does. And it can be preceeded by filtering rules to restrict what the helper is able to do. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
