Playing with Network Layers to Bypass Firewalls’ Filtering Policy

The slides of my CansecWest talk can now be downloaded: Playing with Network Layers to Bypass Firewalls’ Filtering Policy.

The required counter-measures are described in the Secure use of iptables and connection tracking helpers document

The associated video demonstrations are available:

First video demonstrates how to use forged IRC protocol command (DCC request) to be able to open connection to a NATed client from internet.

<div>
  <p>
    Second video demonstrates the effect of the attack on helpers on a non protected Netfilter Firewall.
  </p>
  
  <p>
    </div> 
    
    <div>
      <p>
        Third video demonstrates the effect of the attack on helpers on a badly configured Checkpoint firewall.
      </p>
      
      <p>
        </div> 
        
        <p>
          More information will come in upcoming posts.
        </p>