Natd passing data out on low ports

Gavin Atkinson gavin.atkinson at ury.york.ac.uk
Tue Jul 17 09:47:07 BST 2001


On Tue, 17 Jul 2001, Richard Smith wrote:
> On Mon, Jul 16, 2001 at 02:14:42AM +0100, Gavin Atkinson wrote:
> >
> > Users on hosts on the internal network can use rlogin etc. to a host on
> > the external network, and to that external host the connection appears to
> > come from a priviledged port on the box running natd. This means that a
> > user with root on an internal box (or indeed a user on a windows box
> > attached to the internal network) can spoof an rlogin as if it came from a
> > user on the gateway machine, and all without leaving a log.
> >
> > How do I prevent natd from binding outgoing conmnections to low-numbered
> > ports? At the moment this seems like a pretty big security hole...
>
> Correct, r*utils are a pretty big security hole. Anyone that's security
> conscious wouldn't use them at all (unless they were on a secure intranet,
> which is clearly not the case here - you will notice BTW that they're
> disabled by default in FreeBSD now). So what's wrong with using ssh?

I don't have r* servers running on the box in question, but i do allow
users to use them to connect to other servers with them. the problem is
that I can't trust the machines on the internal network (as some are
windows, and some are not admin'd by me), but I need to protect as much as
possible the security of the users' who insist on using rlogin _from_
the server running nat into other internet hosts. As it stands, anyone can
spoof them just by being on the internal network.

> Say you did manage to stop nat from allocating privileged ports, then none
> of your users would be able to use r*utils from behind nat, so you may as
> well turn it off anyway :-)

I don't want them to be able to use them from behind nat, i want to
prevent that.

Even if we ignore the rutils, i can't believe that letting natd open
connections from low ports from a request by a possibly untrusted host is
not a security hole.


Gavin





More information about the Ukfreebsd mailing list