[securitywatch] Re: tunneling through firewall ?
- From: securitywatch@xxxxxxxxxxxxx
- To: securitywatch@xxxxxxxxxxxxx
- Date: Sun, 20 Aug 2006 23:51:45 +0200
Hello Amigo_x,
I know that i can set the configuration, but my question was based on
the fact that if there is an existing firewall, which you cannot
configure, if you can 'bypass' it lets say using a special prepared
packet?
If eg. firewall with WAN IP 11.11.11.11 accepting packets only at port
22, and in that LAN there is a host lets say 10.1.1.2 accepting
packets at port 80, if i can send 'special packets' to firewall`s port
22 and bypass it, hiting the host 10.1.1.2 behind it on port 80 ?
As i can remember, weak settings make that possible, eg. if the
packets use overlaping fragmentation (flags can be set for TCP/IP), or
just think at the ACK flag, a firewall which is realised by a static
packet filter wont care if there has been asked for a connection
(stateles) and accept all packets with ACK flag set.
But i`m not asking about those flags, i`m asking if there is some
posibility to prepare packets for the scenario i described above. What
do you think ?
Cheers, Adam
Sunday, August 20, 2006, 7:50:09 PM, you wrote:
<==============Original message text===============
sfo> Hello All
sfo> Yes it's teorecticly 101% posible. most of the new firewalls have this
sfo> options.
sfo> Exemple: linux firewall,with port forwarding si some special; settings if
sfo> someone has as firewall = a router , he must put on it forward on port &
sfo> ip.
sfo> Let's say: 11.11.11.11 port 80 but from this port the firewall doaes/t let
sfo> you to di that beacause u have an internal ip: ( 10.1.1.1 ). but u when u
sfo> access 11.11.11.11 u set it: if he gets requests from port 80 to send tham
sfo> at the intern ip 10.1.1.1 on port 22. but that depens what firewall u use,
sfo> what kind of information u want to send & recive, on what ports, ect but i
sfo> think that it's very posible but u need a good configuration. But
sfo> remember: not all firewalls have port forwarding
sfo> That is my opinion. Don't accept it if it's wrong :)
sfo> cheers!
sfo> Amigo_X
>> Hi all
>>
>> I have a question, do you think, it is basicaly possible to tunnel
>> packets from outside a fireall to hosts behind it to reach ports which
>> are masqueraded?
>> Eg. if a host in the LAN is listening at port 80 , but the firewall
>> dont forward that port, and the WAN interface is listening at, lets
>> say port 22 , can you tunnel trafic through the firewall at port 22
>> and hiting the host behind it at port 80 ?
>> Do you see any possibilities?
>>
>> Ah, and please be free to ask other to join our list, i`ll be happy
>> to add your recommendations.
>>
>>
>> cheers!
>> Adam
>>
>>
>>
<===========End of original message text===========
--
Best regards,
Adam Pal mailto:pal_adam@xxxxxxx
Other related posts:
