Re: A firewall won't stop this one

From: Volker Birk (bumens_at_dingens.org)
Date: 11/02/03 

Date: Sun, 2 Nov 2003 08:19:29 +0100

NetUser <slightly-freaked-out@verizon.net> wrote:
> [working around "personal firewalls" via 127.0.0.1 communication]
> I have been telling people about this... but nobody understands or cares.

Yes.

That is one of the reasons for http://www.fefe.de/pffaq/

It is completely impossible to deny comminication for applications,
without having a real sandbox. For processes you're needing a
virtual machine for that point. All other "sandboxing", as implemented
by the personal firewalls, will not work at all.

If you're starting a process which only listens on localhost, you can
in spite of all port-filtering on the interfaces send data to it by
using localhost URLs.

As an example.

> Then go to http://www.geocities.com/thebestnumber9/ and scroll down a little
> to the link to http://www.freakzone2000.com/adult.htm and click on that.
> Again you will get your own little site from your own port 80. But, if you
> manually type http://www.freakzone2000.com/adult.htm into your browser, you
> get an entirely different site.

They're using redirecting in HTTP.

You're watching layer 5/6 communication here. You can stop that by
implementing a filtering proxy for your firewall. Portfiltering
does not work for that, it's layer 3/4.

VB. 

-- 
X-Pie Software GmbH
Postfach 1540, 88334 Bad Waldsee
Phone +49-7524-996806 Fax +49-7524-996807
mailto:vb@x-pie.de  http://www.x-pie.de