Re: MASQ leak?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


On Thu, Aug 31, 2023 at 11:33 AM Jan Engelhardt <jengelh@xxxxxxx> wrote:
> On Thursday 2023-08-31 11:14, Ian Kumlien wrote:
> >
> >Anyway, it turns out that netfilter masq can leak internal information.
> >
> >It was fixed by doing:
> >table inet filter {
> >...
> >       chain forward {
> >               type filter hook forward priority 0
> >                ct state invalid counter drop # <- this one
> >
> >It just seems odd to me that traffic can go through without being NAT:ed
> MASQ requires connection tracking; if tracking is disabled for a connection,
> addresses cannot be changed.

I don't disable connection tracking - this is most likely a expired
session that is reused and IMHO it should just be added

> >And since i thought it was quite bad to just drop internal traffic
> Now you know why drop policies are in place in every serious installation.

I have never had to use this to prevent internal traffic from getting
out in a non-nat:ed state.
Not with ipfw, ipchains, iptables - I have never seen this behaviour
before, not in 25 years..

[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux