smb browsing broken by firewall
shane at geeklords.org
shane at geeklords.org
Tue Jan 20 06:15:30 UTC 2004
On Mon, 19 Jan 2004, Charles R. Anderson wrote:
> I believe SMB always uses the subnet broadcast address, but it doesn't
> matter either way. Broadcasts are not usually forwarded across
> routers, and directed broadcasts to remote subnets are usually blocked
> outright, due to the DoS implications. Therefore, even a
> 255.255.255.255 query would only necessarily need to see response
> packets from the local subnet. Therefore it should be sufficient to
> allow incoming packets from sources that match:
>
> (network_address_of_outgoing_broadcast_inteface/netmask).
>
> along with the other criteria of protocol and src/dst port numbers.
This is a lot of effort for little/no gain. A simple iptables
rule allowing netbios only from the local broadcast network is
just as secure and a lot less complicated/involved. Granted, what you
are requesting would theoretically decreased how often port 137 is available
for inbound connections (assuming the timeout value is less than the
netbios broadcast frequency and that we are dealing with a private lan).
However in practice I see this scheme leaving you more exposed, not less
as shown by the example below:
Simple Example:
I am a hacker and I have cable Internet. I notice that my localnet is
24.16.80.0 with a subnet mask of 255.255.240.0 (sadly this is my real
cable subnet). I configure and run tcpdump to export the IP
addresses of all netbios broadcasts to a file called victim.txt. I write
a simple script to parse this file every second and kick off my
exploit program whenever a new victim is found.
In the above example you just got rooted. At least with the current
netfilter code the end user/sysadmin is required to think about what it is
they really want to happen. They can then build firewall rules that
reflect their intent. The solution you propose will only make the
above example less visible to the would be victims allowing them to
assume that enabling this nifty netbios hack (or worse yet it coming
enabled by default) is protecting them, when really all it did was expose
them needlessly.
Cheers,
Shane
--
"Given enough time, all legal battles in the tech industry will invoke the
DMCA. This generally means that all constructive arguments have ended."
-NialScorva (slashdot poster)
More information about the fedora-devel-list
mailing list