Hi guys,
This is a total imaginary situation but I'm very curious to know this.
Imagine a LinuxBox working as a gateway with firewall, IDS and so on.
The client is a micro$hit windows machine which is running a vulnerable client program such as a P2P application.
The firewall has all the FORWARD and the -state established settings to make the thing work. Here comes my question:
theory says in this way an attacker would be able to attack my client machine using overflows exploits etc.
Excluding iptables bugs and access to administration services by the client, would it be possible to compromise the gateway?
In other words, does forwarding keep the gateway safe?
Thank you!

What runs on the gateway itself?
How freely do you allow the client access to the gw's admin features?

There was a problem with NAT in linux <= 2.4.21 if I remember correctly.

Well, the firewall, DCHP server, web server, that's it. No proxy or mail stuff.
no admin features at all.

Well, the firewall, DCHP server, web server, that's it.
We'll assert you properly configured the firewall (allowing only non-server non-syn UDP, TCP and partial ICMP back in, access to MICROS~1 services blocked), if it is, and you're not running additional apps to add/del routing or fw rules like portsentry or Guardian, and if you're not keeping a close eye on logging, then, if you haven't partitioned a separate /var, and if you're logging on the fw itself, and if you have enough LOG target rules, the only thing we can hope for is to flood logging and try to fill up diskspace to the point where nothing gets logged anymore. If that itself doesnt break things, it should give us at least the security nothing gets written to logs. Of course it's unknown how much space you got, so it's not something to try unless really desperate/bored, still it's a possibility.
We'll also assert you properly configured HDCPd and that it's only running on the LAN side, meaning it's not accessable from the outside, hence not vulnerable to outside attacks.
For the webserver, what's the name and version? What features does it have? What interaction is allowed? Does it use PHP? CGI scripts? Any default installation scripts left? Any scripts that give us extended info of the system itself?


no admin features at all.
Weird. Cuz in your initial post you wrote "Excluding iptables bugs and access to administration services by the client". Sure there are no administration services running on the gw? Telnetd, Sshd, webmin, any other GUI?


As an exception, there's something you could run for me on the gw. I developed it just for situations like these and it should help detect a lot of crap, but you'll have to trust me. If you do, email me (you got my address already) and I'll send you the URI where to pick it up, just tell me what distribution (Debian, isn't it?) and kernel you're running. FWIW, I've been a moderator for years if that means something on the credentials side, and I usually don't send apps to people. And of course it'll be GPG-signed and all sources are included.

I'm pretty curious now, hint hint

Nice description of the situation unSpawn!
Exactly.
Reguarding the web server, it is: Apache/1.3.26 Server (as Debian Woody suggests) with PHP4 support but no cgi support. Plus, the document root has been chrooted. The modules loaded are minimal. There is only a PHP scripts that returns the ppp0's IP address.

I said so for being general. Since this case is (partially) ideal, let's say there are not administration tools. No telnet or webmin and no even ssh. In reality it just has a ssh access with one-time-pad 16bytes password and additional RSA authentication.

I'd like to help you unSpawn, I'll email you soon so we can discuss about this

I'd like to help you unSpawn, I'll email you soon so we can discuss about this
//FWIW, this was a trick up my sleeve to see if TheIrish would catch the bait and could be persuaded into running something on the GW. I bailed out (trust abuse issue), we discussed what I was trying to do, and he passed the test cuz he said he'd never run something that wasn't from security.debian. Congrats. It's good to see ppl with a healthy dose of paranoia and discipline! (I hope that goes for you too Iceman47)

Point is, who and what can you trust? In essence: not many and not much. Do not automagically trust something at face value, don't install binaries but compile yourself, use GPG signed sources from "known good" repositories, and always ask for second opinions if unsure. just to make sure ppl understand: only on VERY RARE occasions I would send my fellow LQ members applications, if I need to send something it will be URI's most of the time. I don't "advertise" stuff, anything I send will always be run and verified by myself and isn't sent w/o agreement of the receiving party.


I said so for being general. (...) In reality it just has a ssh access with one-time-pad 16bytes password and additional RSA authentication.
It's not much in terms of "trust", but I hope you restricted network access to some "known good" IP's you'll be working from and account access to an unprivileged one?


As for Apache/PHP, if they're up to date, properly configured and run as lesser-privileged user and with minimal features, then (as far as sparse details allow) I'd say you got that covered.

As I said in a private email to unspawn, when the binary is not certified (this means, not coming from *.debian.org), I only install from sources and this happens very rarely. Being a programmer more then a sysadmin, I can quite well understand what goes on in a source.
Come on! IT is obvious I restricted the access to a known good IP. In fact, in my real network I have a Mac who works as a console. The check is made on IP, MAC Address and which Network Interface Card receives the data. By the way, the gateway has 3 interfaces used for: LAN, WAN, CONSOLE. In this way I can't do remote administration, but hell, I don't need it.
Always up-to-date, with Debian upgrades... this means only-stable releases. Finally, the config should be as minimal as possible, and working correctly.

PS: almost forget... if you're asking yourself, YES, I'm paranoic

Come on! IT is obvious I restricted the access to a known good IP.
Well, forgive me for asking, OK?

PS: almost forget... if you're asking yourself, YES, I'm paranoic
Welcome to the club :-]