[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: directpc.com question... (deals with pf... )



Ok...  Here's how they do it...
User has a modem, connects to ISP.. get's IP of 1.2.3.4
User loads Sat Program to use the Sat's downstream.
Sat program logs into DirectPC's "network" with their (the users) site ID
Direct PC then sends an IP Address to the sat recvr, the sat recvr tells the
users computer:
   Hey, They just gave me the IP of 7.3.5.6
Sat program now controls user's TCP/IP stack...
User goes to www.blah.com  the TCP Session will look something like:
7.3.5.6 -> SYN -> www.blah.com  (using modem)
www.blah.com -> ACK -> 7.3.5.6   (using sat)
7.3.5.6 -> SYN-ACK -> www.blah.com  (using modem)
7.3.5.6 -> [data packet of get] -> www.blah.com  (using modem)
www.blah.com -> [data packet value of get request -> 7.3.5.6  (using sat)
Just a normal, basic TCP session (steps might be wrong, it's late and I'm
going off memory)
Now, keeping in mind this is a one way customer, meaning they use the ISP
for the upstream, and sat network for their downstream. (aka async route
because w/ the upstream route differs from the downstream route of the
packets)
With that laid out... The sat program (which controls the users TCP/IP
stack), sends out all TCP/IP packets with the source address of 7.3.5.6 out
of the users modem interface, which has the IP Address of 1.2.3.4
So...
if 1.2.3.0/24 is your network.. and in your firewall, you have the following
statements:
===============================
block in  inet  from any  to any
block out inet  from any  to any
pass in   on if0 inet  from { 1.2.3.0/24 } to any keep state
pass out  on if0 inet  from any to { 1.2.3.0/24 } keep state
================================
which will keep spoofed IP addresses from leaving your network and entering
your network.
So, since 7.3.5.6 isn't in your network, it get's the default of block....
If the user wants to use their sat connection, you have to do one of two
things.
1) know their IP Addresses that they give to their users.
2)  don't block spoofed packets and hope a hacker dosn't take over one of
your customers machines/servers and turn it into a zombe...
Does everyone understand how those one way sat connections works now?
-----Original Message-----
From: owner-pf@benzedrine.cx [mailto:owner-pf@benzedrine.cx]On Behalf Of
jolan
Sent: Wednesday, December 18, 2002 9:08 PM
To: Shawn Mitchell
Cc: pf@benzedrine.cx
Subject: Re: directpc.com question... (deals with pf... )
On Wed, Dec 18, 2002 at 08:09:15PM -0600, Shawn Mitchell wrote:
> That's why I'm blocking those Winblows ports...    I know what they are..
> but it's just the pure number of full network scans attempted.
well, that's what worms do.  i can't say i'm surprised.
> I'm not talking about their website IP Address...   your correct in that
> they have a modem for upstream, and that dish for downstream.
i'm not talking about their website ip address either...
> If a packet with a source address that is not one of my IP Addresses or on
> RFC1918 tries to leave my internet interface... it's killed...  I do that
on
> purpose as I don't want broadband users having their machines turned to
> zombies, or their 12 year old kid finding a "cool" script.
uh.  how does this tie in with direcpc users?  are direcpc users using
your dial-up service for their upstream?
> Their site say's Earthlink... but they say their an Ecorp company or
> something...
ecorp could be earthlink corporation...
> What happens if they are using RFC1918 addresses?  I've been seeing a LOT
of
> 10 dot traffic trying to exit... and also hit my DNS servers.
they should be using direcpc's dial-up service, not yours.
> If their using 10 dot addresses (which is stupid), I'm ok with allowing
> it... IF I know all the places that it's suppose to goto.
uh. how is it supposed to get delivered? most places drop packets
destined for private networks.
> It just pisses me off when you spend an hour on their tech support line,
and
> they say "We can't give you those addresses for security reasons"  I'm
just
> like.. ok.. my network.. I see all the traffic anyway...   After that, he
> kept telling me that "No, we're not blocking anything"  me: "No, I need to
> know your IP Address's Blocks.  They'll be something like a 1.2.3.4/20 or
> something like that"   him:  "No, we're not blocking any ip addresses"
if you see all the traffic, then do a lookup on arin.net to find the
blocks allocated to them..?
- jolan