(repaired top-post and improper quoting)
On Tue, 30 Dec 2003, Brandon Holland wrote:
> From: Fred Wright [mailto:fw at well dot com]
> Sent: Tuesday, December 30, 2003 7:48 PM
>> The workaround is simply to *allow* it through the firewall. In the
>> absence of NAT redirection, it then tries to connect to the nonexistent
>> identd on the m0n0wall, and gets a normal TCP RST.
> True, while that workaround will work (assuming a non-customized or
> hijacked install), rejecting tcp packets (as you point out) is easy
> enough modified on the individual rule, and shouldn't be hard to add to
> Manuel's php config.
Indeed it shouldn't be that hard to add; I was just pointing out how I get
around the deficiency *now*.
> While I can't see a large security risk here, I push this because I hate
> the idea of a packet going somewhere where it doesn't need to be.
While that's true in some theoretical sense, the TCP code quite
straightforwardly rejects a packet for a port where there's no listener.
In fact, depending on how clever the filter rule processing is, this might
actually involve *less* overhead than doing it at the IP filter level.
> For instance, knowing that IDENT is accepted at the firewall level
> (which could possibly be assumed if a m0n0wall router is not dropping,
> but rejecting IDENT TCP packets), a hacker could hijack the firewall
> with a Trojan horse using port 113. Weren't we nice in opening it for
> them at the firewall level lol?
Nope. The only way a cracker (don't use the term "hacker" in this sense,
grr...) could do this is by installing a port 113 listener *on the
firewall*. Anything with sufficient access to do that could also change
the firewall configuration anyway. The reason this happens all the time
on Windoze boxes is becasue of applications like IE and OE that
"helpfully" run any script that comes their way (though almost all systems
are vulnerable to malicious package installers when the concept of
"installing packages" exists).