Re: [Linux-igd-devel] Security issues to address...

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

hi,

[cut]
> I'm not sure I understand the final comment in the Armijn report:
> 
> <quote>
> ...,but there is no check to see whether or not NewInternalClient is an 
> external IP address.
> </quote>
> 
> Why is it important whether or not it is an external IP address. I think 
> the right input/output interface is properly set in the iptables 
> invocation so having an external IP address in the NewInternalClient 
> will just result in an ACCEPT rule that is impossible to trigger.
> What do I miss here?

I was able to trigger this (repeatedly) with several routers that use
linux-igd. If NewInternalClient is actually an external IP address it will
make a firewalling rule for that external IP address. Connect to the port
that is opened from the outside and your traffic will nicely go through NAT
to the destination port (NewInternalPort if I remember correctly) without a
problem.

armijn

-- 
 ---------------------------------------------------------------------------
  ar...@uu... | http://www.uulug.nl/ | UULug: Utrecht Linux Users Group
 ---------------------------------------------------------------------------