From: Cedric Blancher <blancher@cartel-securite.fr>
To: "Jens Lechtenbörger" <lechten@wi.uni-muenster.de>
Cc: netfilter@lists.netfilter.org
Subject: Re: NEW vs INVALID
Date: 30 Sep 2002 17:26:50 +0200 [thread overview]
Message-ID: <1033399610.1633.38.camel@elendil> (raw)
In-Reply-To: <m2elbb4w7h.fsf@pcwi1068.uni-muenster.de>
Le lun 30/09/2002 à 12:18, Jens Lechtenbörger a écrit :
> using stateful packet matching I wonder how an INVALID tcp packet is
> defined. In particular, I set up a rule to log inbound NEW ssh
> connections to port 22:
> iptables -A INPUT -m state --state NEW -p TCP --dport 22 -j LOG
> --log-level 5 --log-prefix "IPTABLES: Legal NEW TCP: "
> What confuses me, is that this rule not only logs initial SYN
> packets but also (initial) packets with SYN and FIN set.
> I thought that such packets should be INVALID...
> Is this a bug or a feature?
Definitly a feature ;)
States a completly different concept than TCP connection, for it must
also apply to UDP, or other layer 4 protocols, which can be
connectionless.
A NEW packet is a packet for which Netfilter cannot find an existing
state in conntrack table. This packet, if TCP, can be SYN, as it should,
but also ACK, or any flag combination you want. This packet, if allowed,
create a state that will match following packets.
An INVALID packet is a packet for which Netfilter cannot guess its
state. Most of the time, it is ICMP errors that cannot be associated
(i.e. RELATED) to an existing connection. You can also have ressources
lack or bugs.
So, a packet why strange flags combination, such as SYN+FIN, is wrong
from TCP point of vue, but is a valid packet from state tracking point
of vue. This behaviour allows you to define exactly want you want to
match. As an example, you can consider match Xmas or Null scans :
iptables -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j LOG
iptables -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j LOG
To be strict, your iptables command should be :
iptables -A INPUT -m state --state NEW -p TCP --dport 22 --syn -j LOG --log-level 5 --log-prefix "IPTABLES: Legal NEW TCP: "
My 2 cents of euro.
--
Cédric Blancher
Consultant en sécurité des systèmes et réseaux - Cartel Sécurité
Tél: +33 (0)1 44 06 97 87 - Fax: +33 (0)1 44 06 97 99
PGP KeyID:157E98EE FingerPrint:FA62226DA9E72FA8AECAA240008B480E157E98EE
next prev parent reply other threads:[~2002-09-30 15:26 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-09-30 10:18 NEW vs INVALID Jens Lechtenbörger
2002-09-30 14:39 ` Anders Fugmann
2002-10-01 8:49 ` Cedric Blancher
2002-10-01 9:05 ` Anders Fugmann
2002-10-01 11:19 ` Cedric Blancher
2002-09-30 15:26 ` Cedric Blancher [this message]
2002-09-30 15:50 ` Jens Lechtenbörger
2002-10-01 10:33 ` Martijn Klingens
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1033399610.1633.38.camel@elendil \
--to=blancher@cartel-securite.fr \
--cc=lechten@wi.uni-muenster.de \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.