On 08/15/08 10:38, Stephen Isard wrote:
Thanks, Grant.
*nod*
I don't think any spoofing is required. I had in mind someone who had gained access to my local network (not simple, but not out of the question) and who was essentially pretending to be a printer by sending packets from his port 161 immediately following a cups broadcast. I'm not worried about people without access to the local network because they wouldn't see the broadcast that opens the "recent" time window.
Um, if they have gotten a system in to your LAN I think you have bigger problems. If this is a real concern, I'd suggest that you look in to 802.1x (port) authentication.
Also remember that you can adjust the length of time for the "recent" window. You can probably also mitigate the window by looking for the closing connection (at least with TCP) and do a --remove to clear the connection from the recent list.
Am I fussing over nothing here? Is it clear that much harm can be done by getting upd packets through my firewall to arbitrary high numbered ports? Denial of service is probably not a big issue because of the short time window.
I don't think you are fussing over nothing, but you certainly should consider other things first. Now if you have already considered the other things, then by all means, continue discussing here. ;)
Grant. . . . -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html