Date: Sat, 10 Jun 2000 01:23:38 -0400 (EDT) From: Andy Dills <andy@xecu.net> To: "purpledreams.com system administrator" <super@purpledreams.com> Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: Hijacking DNS with ipfw Message-ID: <Pine.GSO.4.21.0006100102450.4542-100000@shell.xecu.net> In-Reply-To: <003301bfd299$61e21920$a3337218@purpledreams.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 10 Jun 2000, purpledreams.com system administrator wrote: > But if all you do is redirect the packet to a different port, without NAT, > then the result will not be forwarded back correctly. > > i.e. : > > 1 - 10.11.12.13 (host) sends DNS to 10.11.13.2 > 2 - 10.11.12.1 (ipfw gateway) redirects to 127.0.0.1 > 3 - local DNS answers request, sends results back to 10.11.12.13 > > without NAT, the packet from number 3 will have a destination of 10.11.12.13 > and a source of 10.11.12.1, not 10.11.13.2, and therefore the host making > the query won't properly process the packet. NAT would change the source > and destination info on the packets (as opposed to merely re-routing them), > making them route correctly. > > all this is, of course, assuming i understand it correctly. it all comes down > to the query host receiving the result correctly, not specifically a routing > issue > at all..... You're quite possibly right; I've been agonizing over the description of fwd in `man ipfw`: -===- fwd ipaddr[,port] Change the next-hop on matching packets to ipaddr, which can be an IP address in dotted quad or a host name. If ipaddr is not a directly-reachable address, the route as found in the local routing table for that IP is used in stead. If ipaddr is a local address, then on a packet entering the system from a remote host it will be diverted to port on the local machine, keeping the local address of the socket set to the original IP address the packet was destined for. This is intended for use with transparent proxy servers. If the IP is not a local address then the port number (if specified) is ignored and the rule only applies to packets leaving the system. -===- The way I understand that is: 1) 10.0.0.1 requests DNS from 10.0.0.200 2) Via proxy arp, the packet gets sucked into the FreeBSD box. (I'm effectively proxy arping the entire internet...long story, but this part of the project is working flawlessly) 3) I fwd it to the localhost:53, and the source address of the reply is set to 10.0.0.200, and the dest address is set to 10.0.0.1. Am I incorrect? Maybe we'll have to wait for one of the ipfw developers to give some insight. Thanks, Andy xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Andy Dills 301-682-9972 Xecunet, LLC www.xecu.net xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Dialup * Webhosting * E-Commerce * High-Speed Access To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.GSO.4.21.0006100102450.4542-100000>