[ previous ] [ next ] [ threads ]
 
 From:  "Brandon Holland" <brandon at cookssaw dot com>
 To:  "'Fred Wright'" <fw at well dot com>
 Cc:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] Possible to reject ident with tcp-reset ?
 Date:  Tue, 30 Dec 2003 23:15:07 -0600 
True, while that workaround will work (assuming a non-customized or
hijacked install), rejecting tcp packets (as you point out) is easy
enough modified on the individual rule, and shouldn't be hard to add to
Manuel's php config.  

While I can't see a large security risk here, I push this because I hate
the idea of a packet going somewhere where it doesn't need to be.

For instance, knowing that IDENT is accepted at the firewall level
(which could possibly be assumed if a m0n0wall router is not dropping,
but rejecting IDENT TCP packets), a hacker could hijack the firewall
with a Trojan horse using port 113. Weren't we nice in opening it for
them at the firewall level lol?

This is a negligible risk at the moment, but if m0n0wall gets to be like
cisco router IOS's it'd become important.  (Boy scouts rule: hope for
the best, plan for the worst)

Me not being a hacker, I can't really elaborate on what exact
vulnerabilities this could add, but if I can think of one thing, I'd
guess a black hat hacker could think of more.

Still wanting rejection,
Brandon

-----Original Message-----
From: Fred Wright [mailto:fw at well dot com] 
Sent: Tuesday, December 30, 2003 7:48 PM
To: m0n0wall at lists dot m0n0 dot ch
Subject: Re: [m0n0wall] Possible to reject ident with tcp-reset ?


On Tue, 30 Dec 2003, Brandon Holland wrote:
> 
> I was looking for this myself.  IMO, it looks like instead of just
> "Block" and "Accept" maybe present "Block" needs to be renamed "Drop"

That's normally referred to as "deny" though admittedly that's more
ambiguous.

> and a new entry should be added, (to hold true to certain unix-world
o/s
> apps) named "Reject."

Indeed it would be useful to select this on a per-rule basis as well as
for the default (for those of us who don't subscribe to Steve Gibson's
rantings about "stealth mdoe" being the ideal).

On Tue, 30 Dec 2003, Chad R. Larson wrote:

> At 02:09 AM 12/30/2003, Mark N. wrote:
> >Is there some way to reject ident requests (with tcp-reset?), so
ident 
> >requests doesn't have to timeout ?
> 
> Sure.  Block port 113 inbound.

It's already blocked by default, but with "deny" rather than "reject".

The workaround is simply to *allow* it through the firewall.  In the
absence of NAT redirection, it then tries to connect to the nonexistent
identd on the m0n0wall, and gets a normal TCP RST.

Silently discarding ident requests is almost always a bad idea, since
that
usually adds a delay of about 30 seconds to the time to connect to any
server that uses ident.  Then there are a few servers that actually
require *successful* ident, but that's another story.

					Fred Wright


---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch