The slides of my CansecWest talk can now be downloaded: Playing with Network Layers to Bypass Firewalls’ Filtering Policy.
The required counter-measures are described in the Secure use of iptables and connection tracking helpers document
The associated video demonstrations are available:
First video demonstrates how to use forged IRC protocol command (DCC request) to be able to open connection to a NATed client from internet.
Second video demonstrates the effect of the attack on helpers on a non protected Netfilter Firewall.
Third video demonstrates the effect of the attack on helpers on a badly configured Checkpoint firewall.
More information will come in upcoming posts.