Natd passing data out on low ports
Richard Smith
rdls at satamatics.com
Tue Jul 17 00:42:04 BST 2001
On Mon, Jul 16, 2001 at 02:14:42AM +0100, Gavin Atkinson wrote:
>
> Hi,
>
> I currently have a server with two network cards, one is attached to a
> private internal network (10.x.x.x) which can see the internet via natd
> through the second network card. Natd is started through rc.conf:
>
> (irrelevant lines snipped)
> natd_enable="YES"
> natd_interface="rl1"
>
> My problem is this:
>
> Users on hosts on the internal network can use rlogin etc. to a host on
> the external network, and to that external host the connection appears to
> come from a priviledged port on the box running natd. This means that a
> user with root on an internal box (or indeed a user on a windows box
> attached to the internal network) can spoof an rlogin as if it came from a
> user on the gateway machine, and all without leaving a log.
>
> How do I prevent natd from binding outgoing conmnections to low-numbered
> ports? At the moment this seems like a pretty big security hole...
Correct, r*utils are a pretty big security hole. Anyone that's security
conscious wouldn't use them at all (unless they were on a secure intranet,
which is clearly not the case here - you will notice BTW that they're
disabled by default in FreeBSD now). So what's wrong with using ssh?
Say you did manage to stop nat from allocating privileged ports, then none
of your users would be able to use r*utils from behind nat, so you may as
well turn it off anyway :-)
--
Richard Smith
Network Systems Director
Satamatics Ltd
Green Lane, Tewkesbury, GL20 8HD, United Kingdom
Tel: +44 1684 278610
Fax: +44 1684 278611
More information about the Ukfreebsd
mailing list