From: "Oskar Andreasson" <blueflux@koffein.net>
To: <netfilter-devel@lists.samba.org>
Subject: Re: Security flaw in Stateful filtering ??????
Date: Fri, 7 Jun 2002 11:41:07 +0200 [thread overview]
Message-ID: <0fef01c20e07$72d707d0$6501a8c0@multisofteducation.com> (raw)
In-Reply-To: 3D007D73.9030609@cs.auc.dk
No,
Look below
----- Original Message -----
From: "Emmanuel Fleury" <fleury@cs.auc.dk>
To: <netfilter-devel@lists.samba.org>
Sent: Friday, June 07, 2002 11:31 AM
Subject: Re: Security flaw in Stateful filtering ??????
> Henrik Nordstrom wrote:
> >
> > This configuration can be done just fine with iptables as demonstrated in my
> > earlier message, but here we go again (but slightly different):
> >
> > # Allow existing connections
> > iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
This line allows all connections that has a connection tracking entry which shows that the connection that the packet is part of is ESTABLISHED. RELATED means that if the packet is RELATED to a connection tracking entry, it will slipp through as well (i.e. FTP-Data is related to FTP-Control, and ICMP's may be related to TCP connections, etc.).
In other words, the above line allows all packets that are not initiating a new connection to pass through the firewall.
> > # Allow hidden net to initiate new connections (including connection pickup)
> > iptables -A FORWARD -i eth0 -j ACCEPT
_this_ line allows all packets from eth0 (probably your LAN) to pass through the firewall, including the packets opening a new connection.
> > # Drop anything else
> > iptables -A FORWARD -j DROP
finally, we have a rule that DROP's all other packets, including packets from the internet trying to initiate a NEW connection.
Does this make sense?=) Of course, note that this will _not_ block traffic directed to the actual firewall itself, but hosts behind the firewall.
Oskar Andreasson
http://www.boingworld.com
http://people.unix-fu.org/andreasson/
mailto: blueflux@koffein.net
>
> Sorry, I don't understand something ! :-/
>
> Does that mean that you DROP all the ACKs, even those which are valid ?
>
> Regards
> --
> Emmanuel
>
> I am not a vegetarian because I love animals;
> I am a vegetarian because I hate plants.
> -- A. Whitney Brown
>
>
>
next prev parent reply other threads:[~2002-06-07 9:41 UTC|newest]
Thread overview: 56+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20020606220914.A14542@groar.org>
2002-06-06 23:31 ` Security flaw in Stateful filtering ?????? Rusty Russell
2002-06-06 23:52 ` Joerg Mayer
2002-06-07 2:10 ` Rusty Russell
2002-06-07 2:53 ` Joerg Mayer
2002-06-07 12:45 ` Marcus Sundberg
2002-06-07 14:36 ` Henrik Nordstrom
2002-06-07 21:48 ` Ben Reser
2002-06-07 8:15 ` Emmanuel Fleury
2002-06-07 8:50 ` Oskar Andreasson
2002-06-07 12:27 ` Jozsef Kadlecsik
2002-06-10 8:04 ` Oskar Andreasson
2002-06-10 8:26 ` Emmanuel Fleury
2002-06-12 9:23 ` Jozsef Kadlecsik
2002-06-07 9:05 ` Henrik Nordstrom
2002-06-07 9:31 ` Emmanuel Fleury
2002-06-07 9:41 ` Oskar Andreasson [this message]
2002-06-07 9:43 ` Guillaume Morin
2002-06-07 9:57 ` Emmanuel Fleury
2002-06-07 10:17 ` Guillaume Morin
2002-06-07 11:30 ` Emmanuel Fleury
2002-06-07 13:33 ` Guillaume Morin
2002-06-07 15:13 ` Emmanuel Fleury
2002-06-07 18:36 ` Guillaume Morin
2002-06-07 19:00 ` Patrick Schaaf
2002-06-08 2:06 ` Emmanuel Fleury
2002-06-08 8:21 ` Patrick Schaaf
2002-06-08 12:02 ` Henrik Nordstrom
2002-06-09 7:03 ` Emmanuel Fleury
2002-06-09 8:29 ` Patrick Schaaf
2002-06-08 1:42 ` Emmanuel Fleury
2002-06-07 10:17 ` Henrik Nordstrom
2002-06-07 10:11 ` Henrik Nordstrom
2002-06-07 22:02 ` Ben Reser
2002-06-08 2:13 ` Emmanuel Fleury
2002-06-08 8:23 ` Patrick Schaaf
2002-06-08 16:41 ` Ben Reser
2002-06-08 9:07 ` ACK is NEW: Conclusion ? (was:Re: Security flaw in Stateful filtering ??????) Emmanuel Fleury
2002-06-07 9:42 Security flaw in Stateful filtering ?????? Mikkel Christiansen
2002-06-08 7:44 ` Harald Welte
-- strict thread matches above, loose matches on Subject: below --
2002-06-06 22:15 Andy Whitcroft
2002-06-06 19:29 Sneppe Filip
2002-06-06 17:21 Emmanuel Fleury
2002-06-06 17:48 ` Martin Josefsson
2002-06-06 17:54 ` Maciej Soltysiak
2002-06-06 18:52 ` Emmanuel Fleury
2002-06-06 19:11 ` Maciej Soltysiak
2002-06-06 19:30 ` Guillaume Morin
2002-06-06 19:53 ` Patrick Schaaf
2002-06-06 19:43 ` Henrik Nordstrom
2002-06-06 17:57 ` Patrick Schaaf
2002-06-06 18:34 ` Emmanuel Fleury
2002-06-06 19:12 ` Patrick Schaaf
2002-06-06 19:28 ` Emmanuel Fleury
2002-06-06 19:27 ` Henrik Nordstrom
2002-06-06 20:50 ` Emmanuel Fleury
2002-06-06 21:26 ` Henrik Nordstrom
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='0fef01c20e07$72d707d0$6501a8c0@multisofteducation.com' \
--to=blueflux@koffein.net \
--cc=netfilter-devel@lists.samba.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.