RE: discard TCP SYN

[Ralf Spenneberg <lists@spenneberg.org>]

Am Mit, 2003-08-06 um 18.42 schrieb Michael K:
> Thank you.
>  
> So iptables that uses connection-tracking is safe. And the old ipchains
> is not, including the old ipfwadm?
> Hurray for iptables :-)
Well, kind of. The old ipchains had a safe syn check. 
Manpage extract:
 -y, --syn       Only match TCP packets with the SYN bit set and the
              	  ACK and FIN bits cleared.

But when using iptables' connection tracking you are usually safe.

Cheers,

Ralf
> 
> /Klintan
> 
> > -----Original Message-----
> > From: netfilter-admin@lists.netfilter.org 
> > [mailto:netfilter-admin@lists.netfilter.org] On Behalf Of 
> > Ralf Spenneberg
> > Sent: Wednesday, August 06, 2003 2:43 PM
> > To: Michael K
> > Cc: Netfilter
> > Subject: Re: discard TCP SYN
> > 
> > 
> > Am Mit, 2003-08-06 um 13.32 schrieb Michael K:
> > > My firewall have default policy to drop (in, out & fwd)
> > > Some protocols are open for communications, such as tcp/80, ftp/21 
> > > from the internet Then I use stateful inspection, accepting 
> > > estabished,related. However, the nessus scanner is reporting this:
> > > -----
> > > The remote host does not discard TCP SYN packets which
> > > have the FIN flag set.
> > > 
> > > Depending on the kind of firewall you are using, an
> > > attacker may use this flaw to bypass its rules.
> > 
> > The better solution would be to only accept SYN Packets which 
> > actually are SYN packets. iptables -A FORWARD -p tcp --syn -m 
> > state --state NEW -s whatever -j ACCEPT
> > 
> > But ....
> > This SYN/FIN stuff comes from an old packetfilter 
> > implementation which implemented a very simple SYN test: Is 
> > only the SYN-Bit set? Yes, then it is a SYN-packet! If you 
> > relied on this test to implement the firewall-rules on this 
> > non-stateful packetfilter, you would create two rules:
> > 
> > Allow everything from the inside to the outside including 
> > SYN. Allow everything from the outside to the inside but SYN.
> > 
> > Now, TCP-connection could only be initiated (meaning a SYN could be
> > send) from the inside, right? No, you could send a SYN from 
> > the outside, once you have figured out that you needed a 
> > second flag set. 
> > Well, I wonder what happens if you use SYN/FIN? The firewall 
> > passes it and most (all?) operating systems ignore the FIN 
> > and operate on the SYN. Connection Established!
> > 
> > Remember this is only possible on non-stateful packetfilters 
> > (read: These packetfilters do not use connection tracking)
> > 
> > Once you use connection tracking that code decides in which 
> > direction the connection is initiated. It is not just a 
> > matter of the SYN-packet.
> > 
> > Cheers,
> > 
> > Ralf
> > -- 
> > Ralf Spenneberg
> > RHCE, RHCX
> > 
> > Book: Intrusion Detection für Linux Server   http://www.spenneberg.com
> > IPsec-Howto				     http://www.ipsec-howto.org
> > Honeynet Project Mirror:                     
> > http://honeynet.spenneberg.org
> > 
> > 
-- 
Ralf Spenneberg
RHCE, RHCX

Book: Intrusion Detection für Linux Server   http://www.spenneberg.com
IPsec-Howto				     http://www.ipsec-howto.org
Honeynet Project Mirror:                     http://honeynet.spenneberg.org