[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pf proxy support

To: "Paul B. Henson" <henson@acm.org>
Subject: Re: pf proxy support
From: Theo de Raadt <deraadt@cvs.openbsd.org>
Date: Tue, 23 Jul 2002 20:59:05 -0600
Cc: misc@openbsd.org

> one feature of ipf I use is proxy support, particularly the FTP proxy
> although there are other proxies. I am trying to see how I would achieve
> the same functionality utilizing pf.

Using userland proxies like our ftp proxy which we provide.  Others
can easily be written.

ipf in-kernel proxies are fundamentally broken, since they are not
aware of overlapping packet attacks.  Keepe your eye tuned to
BUGTRAQ...

> if I understand correctly, proxy support with pf is implemented via
> redirecting connections to a proxy server running in user space. according
> to the documentation for ftp-proxy, you need to add in broad rule such as:
> 
>         pass  in on xl1 proto tcp from any to xl1 port > 49151 keep state
> 
> in order to get it to work, allowing possible connection attempts that are
> not actually associated with a given FTP session. This method also seems
> incompatible with a bridging firewall, as the user space proxy needs an IP
> address on the interface.

a bridged ftp proxy would be just as vulnerable.  Since packets are
reassembled at the wrong place, it is fundamentally vulnerable to
fragrouter style attacks..

Not everything which is possible using features of our network stack
is secure; not everything is desirable; and not everything that is
possible is smart to do.

We just supply rope.

Follow-Ups:
- Re: pf proxy support
  - From: "Paul B. Henson" <henson@acm.org>
- Re: pf proxy support
  - From: Darren Reed <avalon@coombs.anu.edu.au>

References:
- pf proxy support
  - From: "Paul B. Henson" <henson@acm.org>

Prev by Date: pf proxy support
Next by Date: hppa ? (was: non-exec stack)
Prev by thread: pf proxy support
Next by thread: Re: pf proxy support
Index(es):
- Date
- Thread