Re: iptables rule to block FTP-NAT-Helper-Traffic
- From: Kevin Kempfer <usenet_spam@xxxxxxxxxxxxxx>
- Date: Wed, 26 Nov 2008 18:24:45 +0100
Hello,
Pascal Hambourg schrieb:
- I visit a page with a hostile java applet
Here is the actual security problem.
which I have in mind, but I cannot stop all users on my network to use java.
Is there a way to block this kind of traffic?
Sure. As I wrote, the security problem happens only with FTP active mode, so you can block active mode data connections, which are incoming connections. You can identify packets related to the FTP conntrack/NAT helper with the "helper" match.
iptables -A FORWARD -i external_interface -m state --state RELATED \
-m helper ftp -j DROP
In order to be effective, this rule must be placed before the general "-m state ESTABLISHED,RELATED -j ACCEPT" rule.
Isn't this to be done on the router? As I don't have access to the router, I would like to secure my own machine against this attack. What I need is a rule which is running locally on my computer. Is there still a helper match?
Anyway, is this really efficient ? Couldn't the hostile applet just connect locally to the VNC port and relay the communication with the hostile server ?
Sure, it could, but it isn't as trivial as it is now ;)
Thank you!
Kevin
.
- Follow-Ups:
- Re: iptables rule to block FTP-NAT-Helper-Traffic
- From: Mark Hobley
- Re: iptables rule to block FTP-NAT-Helper-Traffic
- From: Pascal Hambourg
- Re: iptables rule to block FTP-NAT-Helper-Traffic
- References:
- iptables rule to block FTP-NAT-Helper-Traffic
- From: Kevin Kempfer
- Re: iptables rule to block FTP-NAT-Helper-Traffic
- From: Pascal Hambourg
- iptables rule to block FTP-NAT-Helper-Traffic
- Prev by Date: Re: iptables rule to block FTP-NAT-Helper-Traffic
- Next by Date: tftp C++ library Options
- Previous by thread: Re: iptables rule to block FTP-NAT-Helper-Traffic
- Next by thread: Re: iptables rule to block FTP-NAT-Helper-Traffic
- Index(es):
Relevant Pages
|
