From: Martin Josefsson <gandalf@wlug.westbo.se>
To: Emmanuel Fleury <fleury@cs.auc.dk>
Cc: Netfilter-devel <netfilter-devel@lists.samba.org>,
Mikkel Christiansen <mixxel@cs.auc.dk>,
Mikkel Refsgaard Bech <mrb@cs.auc.dk>,
Torben Vinther Schmidt <mariachi@cs.auc.dk>,
Carsten Stiborg <stiborg@cs.auc.dk>
Subject: Re: Security flaw in Stateful filtering ??????
Date: 06 Jun 2002 19:48:14 +0200 [thread overview]
Message-ID: <1023385694.4894.50.camel@tux> (raw)
In-Reply-To: <3CFF9A00.2070805@cs.auc.dk>
On Thu, 2002-06-06 at 19:21, Emmanuel Fleury wrote:
[snip]
> I am just quoting their mail here:
[snip again]
> For short:
> - ACK packets are classified as NEW (without opening a connection),
> - Therefore, allowing NEW packets allow all the ACK packets to go
> through,
> - And consequently, in this setting, you can perform ACK scanning
> if you just trust the documentation...
>
> Actually, I don't know what to answer to them. Has somebody any clue to
> explain this ?
Tell them (well they are probably the ones cc'd :) to read through the
netfilter and netfilter-devel mailinglist archives as there's been
discussions about this.
And tell them that they should look at the conntrack-tcp-nopickup patch
in patch-o-matic. This patch disables the exact thing described here.
I recently mailed a patch against patch-o-matic that improves the
conntrack-tcp-nopickup patch so you can change the behaviour at runtime.
The newest tcp-window-tracking patch also has support for disabling this
type of connection pickup.
If you apply the conntrack-tcp-nopickup patch these ACK's will be marked
as INVALID instead of NEW.
--
/Martin
Never argue with an idiot. They drag you down to their level, then beat
you with experience.
next prev parent reply other threads:[~2002-06-06 17:48 UTC|newest]
Thread overview: 55+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-06-06 17:21 Security flaw in Stateful filtering ?????? Emmanuel Fleury
2002-06-06 17:48 ` Martin Josefsson [this message]
2002-06-06 17:54 ` Maciej Soltysiak
2002-06-06 18:52 ` Emmanuel Fleury
2002-06-06 19:11 ` Maciej Soltysiak
2002-06-06 19:30 ` Guillaume Morin
2002-06-06 19:53 ` Patrick Schaaf
2002-06-06 19:43 ` Henrik Nordstrom
2002-06-06 17:57 ` Patrick Schaaf
2002-06-06 18:34 ` Emmanuel Fleury
2002-06-06 19:12 ` Patrick Schaaf
2002-06-06 19:28 ` Emmanuel Fleury
2002-06-06 19:27 ` Henrik Nordstrom
2002-06-06 20:50 ` Emmanuel Fleury
2002-06-06 21:26 ` Henrik Nordstrom
-- strict thread matches above, loose matches on Subject: below --
2002-06-06 19:29 Sneppe Filip
2002-06-06 22:15 Andy Whitcroft
[not found] <20020606220914.A14542@groar.org>
2002-06-06 23:31 ` Rusty Russell
2002-06-06 23:52 ` Joerg Mayer
2002-06-07 2:10 ` Rusty Russell
2002-06-07 2:53 ` Joerg Mayer
2002-06-07 12:45 ` Marcus Sundberg
2002-06-07 14:36 ` Henrik Nordstrom
2002-06-07 21:48 ` Ben Reser
2002-06-07 8:15 ` Emmanuel Fleury
2002-06-07 8:50 ` Oskar Andreasson
2002-06-07 12:27 ` Jozsef Kadlecsik
2002-06-10 8:04 ` Oskar Andreasson
2002-06-10 8:26 ` Emmanuel Fleury
2002-06-12 9:23 ` Jozsef Kadlecsik
2002-06-07 9:05 ` Henrik Nordstrom
2002-06-07 9:31 ` Emmanuel Fleury
2002-06-07 9:41 ` Oskar Andreasson
2002-06-07 9:43 ` Guillaume Morin
2002-06-07 9:57 ` Emmanuel Fleury
2002-06-07 10:17 ` Guillaume Morin
2002-06-07 11:30 ` Emmanuel Fleury
2002-06-07 13:33 ` Guillaume Morin
2002-06-07 15:13 ` Emmanuel Fleury
2002-06-07 18:36 ` Guillaume Morin
2002-06-07 19:00 ` Patrick Schaaf
2002-06-08 2:06 ` Emmanuel Fleury
2002-06-08 8:21 ` Patrick Schaaf
2002-06-08 12:02 ` Henrik Nordstrom
2002-06-09 7:03 ` Emmanuel Fleury
2002-06-09 8:29 ` Patrick Schaaf
2002-06-08 1:42 ` Emmanuel Fleury
2002-06-07 10:17 ` Henrik Nordstrom
2002-06-07 10:11 ` Henrik Nordstrom
2002-06-07 22:02 ` Ben Reser
2002-06-08 2:13 ` Emmanuel Fleury
2002-06-08 8:23 ` Patrick Schaaf
2002-06-08 16:41 ` Ben Reser
2002-06-07 9:42 Mikkel Christiansen
2002-06-08 7:44 ` Harald Welte
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1023385694.4894.50.camel@tux \
--to=gandalf@wlug.westbo.se \
--cc=fleury@cs.auc.dk \
--cc=mariachi@cs.auc.dk \
--cc=mixxel@cs.auc.dk \
--cc=mrb@cs.auc.dk \
--cc=netfilter-devel@lists.samba.org \
--cc=stiborg@cs.auc.dk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.