On 10/10/13 16:19, Brian Burch wrote:
> My situation is unconventional, but very similar to the general case. I
> have a rogue web client (not sure if it is buggy software or malware)
> that occasionally tries to connect to my firewall's snat external ip
> address on port 80. The syn's are rejected by my default policy "all all
> REJECT info" because there isn't an explicit rule to permit that traffic
> - and, besides, it should not be allowed!
>
> Unfortunately, wireshark on the firewall and netstat on the client don't
> give me enough information to track down the offending program. I have
> deployed a fake web server on the firewall (listening on port 8080 and
> running under a unprivileged account) whose only purpose is to log the
> http headers after the rogue connection is established.
Gotcha! My fake web server trapped the rogue connection attempt. It was
the Firefox NoScript plugin!
--- Client.: /10.1.252.200:56934
--- URI....: /
--- Method.: GET
--- Headers: {cache-control=no-cache, connection=keep-alive,
host=217.154.193.215, user-agent=Mozilla/5.0 (ABE,
http://noscript.net/abe/wan), pragma=no-cache}
Digging a little tookme to:
http://hackademix.net/2010/07/28/abe-patrols-the-routes-to-your-routers/
<quote>Many routers will respond to requests to their public ip on the
private interface. This allows an external site not merely to load the
router config in an iframe by ip (without triggerring ABE LOCAL rule)
but also by the site’s name (by dynamically dns binding it to the
router’s public ip), thereby bypassing same origin check and gaining
access to the router.
I suppose NoScript could (optionally) lookup the public ip and include
it in the abe LOCAL pseudo-list.
And so it does now :)
Since version 2.0rc5, released past week, NoScript detects your public
(WAN) IP by sending a completely anonymous query on a secure channel to
https://secure.informaction.com/ipecho, then treats it as a local
address when enforcing its policies against CSRF and DNS Rebinding.
There are a few optimizations, meant to reduce the traffic to less than
two hundreds of bytes per user per day (and prevent my servers from
melting down), but if you do notice this background request, now you
know what it is about (it is also mentioned in the NoScript’s Privacy
Policy, BTW). This new feature, enabled by default, can be disabled at
any time by clearing the NoScript Options|Advanced|ABE|WAN IP ∈ LOCAL
checkbox *.</quote>
I'm satisfied with that explanation.
Brian
------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
