Do I need a firewall rule for RST ?

All of lore.kernel.org
 help / color / mirror / Atom feed

* Do I need a firewall rule for RST ?
@ 2002-07-09 16:50 Jan Humme
  2002-07-09 17:35 ` Ramin Alidousti
  0 siblings, 1 reply; 2+ messages in thread
From: Jan Humme @ 2002-07-09 16:50 UTC (permalink / raw)
  To: netfilter

In /var/log/messages, I often find packages that have been rejected because 
of the following rules:

$IPTABLES -A FORWARD -m multiport -p tcp -i ppp0 --sports $TCPOUT\
	-j ACCEPT --tcp-flags ACK ACK
$IPTABLES -A FORWARD -m multiport -p tcp -o ppp0 --dports $TCPOUT\
	-j ACCEPT

In short, what I want to achieve is that incoming traffic should always have 
the ACK-bit set.

Packets that are rejected most often are packets that have the RST-flag set:

Jul  9 14:08:58 jhh kernel: IN=ppp0 OUT=eth0 SRC=145.58.30.9 DST=192.168.0.1 
LEN=40 TOS=0x00 PREC=0x00 TTL=49 ID=32896 PROTO=TCP SPT=80 DPT=1068 WINDOW=0 
RES=0x00 RST URGP=0
Jul  9 14:08:59 jhh kernel: IN=ppp0 OUT=eth0 SRC=145.58.30.9 DST=192.168.0.1 
LEN=40 TOS=0x00 PREC=0x00 TTL=49 ID=33682 PROTO=TCP SPT=80 DPT=1068 WINDOW=0 
RES=0x00 RST URGP=0
Jul  9 14:09:01 jhh kernel: IN=ppp0 OUT=eth0 SRC=145.58.30.9 DST=192.168.0.1 
LEN=40 TOS=0x00 PREC=0x00 TTL=49 ID=35186 PROTO=TCP SPT=80 DPT=1068 WINDOW=0 
RES=0x00 RST URGP=0

Questions:

1) AFAIK these packets are harmless, correct? Or could some of them be used 
in attacks?

2) (Assuming they are harmless:) is it safe then to add a rule:

$IPTABLES -A FORWARD -m multiport -p tcp -i ppp0 --sports $TCPOUT\
	-j ACCEPT --tcp-flags RST RST
 
3) Is there perhaps a better way to deal with these kinds of packets? 
Perhaps i should better use "state" and forget about the flags?

Jan Humme.


^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: Do I need a firewall rule for RST ?
  2002-07-09 16:50 Do I need a firewall rule for RST ? Jan Humme
@ 2002-07-09 17:35 ` Ramin Alidousti
  0 siblings, 0 replies; 2+ messages in thread
From: Ramin Alidousti @ 2002-07-09 17:35 UTC (permalink / raw)
  To: Jan Humme; +Cc: netfilter

On Tue, Jul 09, 2002 at 06:50:13PM +0200, Jan Humme wrote:

> Questions:
> 
> 1) AFAIK these packets are harmless, correct? Or could some of them be used 
> in attacks?

Someone can send you these packets to tear down your established
tcp sessions. Not that it's easy to do but feasible.

> 
> 2) (Assuming they are harmless:) is it safe then to add a rule:
> 
> $IPTABLES -A FORWARD -m multiport -p tcp -i ppp0 --sports $TCPOUT\
> 	-j ACCEPT --tcp-flags RST RST
>  
> 3) Is there perhaps a better way to deal with these kinds of packets? 
> Perhaps i should better use "state" and forget about the flags?

Yes. I'd do this. However it doesn't protect you from the case mentioned
above. The only solution for that is using IPsec. But then again you
cannot run IPsec for all your traffic...

Ramin

> Jan Humme.


^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2002-07-09 17:35 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2002-07-09 16:50 Do I need a firewall rule for RST ? Jan Humme
2002-07-09 17:35 ` Ramin Alidousti

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.