On Jun 8, 2010, at 6:26 AM, Jan Buchholz wrote:
Thanks @all, sorry i was out of office yesterday. I'll discuss the
issue this week on the german Linux Tag in Berlin.
What your meaning off firewalls, who looks into packets and block them
if the filter don´t know a flag.
Some "high security" firewalls examine the actual payload of the
packets and validate that the payload follows the spec (at least as
they understand the spec). This sounds like a great win, because it
allows you to make sure that folks aren't tunneling things over other
ports, "protects" your backend from application level attacks (and
attacks on the TCP stack and such) and allows NAT fixups for things
like SIP -- this is often called an ALG (Application layer gateway),
fixups or something similar. Unfortunately they almost always cause
way way more issues than they solve, and cause really really
interesting troubleshooting problems[0]. The firewall has to maintain
a huge amount of state, the ALG is coded for a protocol at a specific
point in time and so doesn't deal with extensions (like edns
apparently :-P), etc.
W
[0]: My favorite instance of this was downloading an ISO of Ubuntu
something or other. I downloaded the ISO and ran 'md5sum' to validate
it -- validation failed so I deleted it and tried again. Validation
fails again. Lather, rinse, repeat.
After a few tries (all over a 1.5mbps DLS line no less) I ended up
copying it over SCP instead of HTTP. Validates fine....
I run 'diff' to see if I can figure out what the hell is going on.
I discover that (in two places in the file) the sequence 0x4772 0x26C7
has mysteriously become 0xC0A8 0x002F. I spend a while poking at
random things (for some reason I had decided it must be bad RAM on the
RAID controller) and end up converting the bytes to decimal -- the
correct one is 71 114 38 199 and then incorrect one is 192 168 0 47...
Wait a minute, that last set of numbers looks *awfully* familiar...
Yup, it's the address of my machine and the other address is the
outside address of the firewall...
Suddenly I realize -- the firewall / NAT device is doing NAT "fixup"
by blindly replacing the "outside" address with the "inside" address
anywhere in the payload... Wheeeeee.....
First i´ve fixed the problem with edns no;
Jan
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
--
I had no shoes and wept. Then I met a man who had no feet. So I
said, "Hey man, got any shoes you're not using?"
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
