Re: Internal IP Address Detection Through NAT
Thankyou so much for your replies, Stefan, Daniel, Kevin,Jason and messmate :)) Thankyou so much for helping out! Kind Regards Siju
Re: Internal IP Address Detection Through NAT
On Wed, 2004-12-08 at 14:34, messmate wrote: This is correct. Squid by default includes a X-Forwarded-For: header on each HTTP request showing the original requesting IP address. This can be disabled in squid.conf with forwarded_for off. Sorry, not correct. I'm behind my squid and forwarded on or off the header is there ! the X-Forwarded-For header is present whether you set the forwarded_for directive to on or off--the difference is that with it set to off the header reads: X-Forwarded-For: unknown\r\n which would rule it out as the source of the IP leak that the OP is asking about. you can also control what is shown in the Via header by setting the visible_hostname directive. again--ruling out squid as the source of the leak... oh--and if the Via: header bugs you: header_access Via deny all works without and recompile... as does: header_access X-Forwarded-For deny all -j -- Oh, so they have internet on computers now! --The Simpsons
Re: Internal IP Address Detection Through NAT
On Wed, 08 Dec 2004 19:22:53 -0500 Jason Opperisano [EMAIL PROTECTED] wrote: On Wed, 2004-12-08 at 14:34, messmate wrote: This is correct. Squid by default includes a X-Forwarded-For: header on each HTTP request showing the original requesting IP address. This can be disabled in squid.conf with forwarded_for off. Sorry, not correct. I'm behind my squid and forwarded on or off the header is there ! the X-Forwarded-For header is present whether you set the forwarded_for directive to on or off--the difference is that with it set to off the header reads: X-Forwarded-For: unknown\r\n I agree :) which would rule it out as the source of the IP leak that the OP is asking about. you can also control what is shown in the Via header by setting the visible_hostname directive. again--ruling out squid as the source of the leak... oh--and if the Via: header bugs you: header_access Via deny all Tested and works on openbsd without a recompile :) works without and recompile... as does: header_access X-Forwarded-For deny all -j Thanks mess-mate
Re: Internal IP Address Detection Through NAT
Hello, Thanks everyone for your comments. I should have guessed that it would be a Java script or something. I disabled Java in Internet Explorer and the site I was talking about was not able to get the internal ip address anymore. Thanks again. -- Best regards, William mailto:[EMAIL PROTECTED]
Internal IP Address Detection Through NAT
Hello, I know this has been discussed before, but I looked through the list and could not find what I was looking for. I was browsing a security audit website and not only did it show the external ip address given to me by my isp (this is to be expected), but it also showed the internal ip address of the machine I connected to the site with as well. I cannot recall if this is to be expected or not, but the site I was looking at did not think so. The machine I connected with runs Windows 2000 Pro. Feel free to point me to any discussions on this. -- Best regards, William mailto:[EMAIL PROTECTED]
Re: Internal IP Address Detection Through NAT
On Wed, Dec 08, 2004 at 02:17:00AM -0500, William Culler wrote: I know this has been discussed before, but I looked through the list and could not find what I was looking for. I was browsing a security audit website and not only did it show the external ip address given to me by my isp (this is to be expected), but it also showed the internal ip address of the machine I connected to the site with as well. I cannot recall if this is to be expected or not, but the site I was looking at did not think so. The machine I connected with runs Windows 2000 Pro. Feel free to point me to any discussions on this. Repeat the test with an OpenBSD box using a browser that doesn't do JavaScript or Java, like lynx(1). The most likely explanation is that the client is giving away the information. If you can reproduce it with that setup, run tcpdump on the NAT box' external interface and capture all traffic between you and the external probe and repeat the test. It might be some game with IP TTL values, but pf should always replace the internal address with the gateway's. The tcpdump will tell. Daniel
Re: Internal IP Address Detection Through NAT
Hi Danny, On Wed, 8 Dec 2004 11:22:01 +0100, Daniel Hartmeier [EMAIL PROTECTED] wrote: It might be some game with IP TTL values, but pf should always replace the internal address with the gateway's. The tcpdump will tell. I found the same thing happenning when I use Squid Proxy to connect to internet. So I should be changing some configuration in squid isn't it? Any comments? Thankyou so much :) Kind Regards Siju
Re: Internal IP Address Detection Through NAT
On Wed, 8 Dec 2004 19:34:03 +0530, Siju George [EMAIL PROTECTED] wrote: On Wed, 8 Dec 2004 11:22:01 +0100, Daniel Hartmeier [EMAIL PROTECTED] wrote: It might be some game with IP TTL values, but pf should always replace the internal address with the gateway's. The tcpdump will tell. I've never seen pf leak the original inside source IP address from a NAT'd client. I found the same thing happenning when I use Squid Proxy to connect to internet. So I should be changing some configuration in squid isn't it? Any comments? This is correct. Squid by default includes a X-Forwarded-For: header on each HTTP request showing the original requesting IP address. This can be disabled in squid.conf with forwarded_for off. Additionally, Squid will also append a Via: header which reveals information about the cache -- some web discussion boards will refuse access if the Via header is present. The code which generate both of these headers is located in 'http.c' in the Squid source tree. The only way to disable the 'Via' header in Squid2.5 is to edit the source and recompile. Kevin
Re: Internal IP Address Detection Through NAT
On Wed, 8 Dec 2004 10:34:51 -0600 Kevin [EMAIL PROTECTED] wrote: On Wed, 8 Dec 2004 19:34:03 +0530, Siju George [EMAIL PROTECTED] wrote: On Wed, 8 Dec 2004 11:22:01 +0100, Daniel Hartmeier [EMAIL PROTECTED] wrote: It might be some game with IP TTL values, but pf should always replace the internal address with the gateway's. The tcpdump will tell. I've never seen pf leak the original inside source IP address from a NAT'd client. I found the same thing happenning when I use Squid Proxy to connect to internet. So I should be changing some configuration in squid isn't it? Any comments? This is correct. Squid by default includes a X-Forwarded-For: header on each HTTP request showing the original requesting IP address. This can be disabled in squid.conf with forwarded_for off. Sorry, not correct. I'm behind my squid and forwarded on or off the header is there ! Additionally, Squid will also append a Via: header which reveals information about the cache -- some web discussion boards will refuse access if the Via header is present. The code which generate both of these headers is located in 'http.c' in the Squid source tree. The only way to disable the 'Via' header in Squid2.5 is to edit the source and recompile. Kevin Would be tryed :) But there is a accel_header_... etc.. who's disable parts of the header = anonymous. Look at the config file. mess-mate