On Mon, 15 Jan 2007, Anil Gunturu wrote:
OK. Does the same thing apply to ftp when NAT is involved? If the port
command comes fragmented and out-of-order, and the conntrack module
doesn't reassemble the packets, the "inside" ip address goes out
untranslated. Is this considered a security breach.
[Please do not top-post. Thanks.]
NAT is built on top of conntrack. So fragmented packets get defragmented
before processing but out of order packets are not reordered by netfilter.
A deliberate attacker can force to break up PORT commands and PASV
responses to be carried in multiple non-fragmented packets and those then
"slip through" without NATing. However what can be gained by this?
Conntrack cannot detect the IP address/port so the data channel won't be
"opened up" by conntrack. The attacker can discover the real IP address of
the other side, that's all. NAT is not meant to be a security solution.
Best regards,
Jozsef
-
E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxxxxx
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
H-1525 Budapest 114, POB. 49, Hungary
