From: Henrik Nordstrom <hno@marasystems.com>
To: netfilter-devel@lists.samba.org, Emmanuel Fleury <fleury@cs.auc.dk>
Subject: Re: Security flaw in Stateful filtering ??????
Date: Thu, 6 Jun 2002 23:26:49 +0200 [thread overview]
Message-ID: <200206062326.49227.hno@marasystems.com> (raw)
In-Reply-To: <3CFFCB15.1050708@cs.auc.dk>
Emmanuel Fleury wrote:
> The core of the problem seems to be a conflict between two features:
>
> 1) The existing connections shouldn't be stopped when you change the
> rules of your firewall at run time (something which occur much more
> often than the reboot of one firewall).
>
> 2) The connection tracking / Stateful inspection
Nope. The connection pickup feature is purely about reboots and failover.
Change of rules do not affect connection tracking in any manner. Only packets
and actions taken by your ruleset does (DROP/REJECT kills the conntrack
entry)
> But, I still don't understand how the data packets can go through your
> firewall if they are not matching NEW (except if you have an assymetric
> configuration as NAT)...
???
> Moreover, the fact that you match ACK packets with NEW, break part of
> the stateful inspection and force the user to make some additional rules
> in order to avoid ACK scanning of your network.
Not really, it only makes state NEW not very useful as a match as it is
extremely broad.
A somewhat sane typical iptables rulesets looks like
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD [definition of allowed connection] -j ACCEPT
-A FORWARD [definition of allowed connection] -j ACCEPT
-A FORWARD [definition of allowed connection] -j ACCEPT
...
-A FORWARD -j DROP
If we take the quoted example of a SMTP server, and adds a HTTP server in the
mix this becomes
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -d ip.of.smtp.server -p tcp --syn --dport 25 -j ACCEPT
-A FORWARD -d ip.of.smtp.server -p tcp --syn --dport 80 -j ACCEPT
-A FORWARD -j DROP
And will properly block all those scans you are so worried about.
Another exampe config, where connection pickup is wanted..
eth0: connected to internal trusted network
eth1: connected to external untrusted network
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow for outgoing SSH sessions with connection pickup after reboot
-A FORWARD -i eth0 -p tcp --dport 22 -j ACCEPT
[more rules allowing what should be allowed...]
-A FORWARD -i eth0 -j REJECT
-A FORWARD -j DROP
which also blocks such scans if received from the outside (eth1), but allows
some of them if received from the inside (eth0) and targeting allowed
services.
I do have a few real life cases where -m state --state NEW is a valuable
match, but these are too obscure for this thread.
Regards
Henrik
next prev parent reply other threads:[~2002-06-06 21:26 UTC|newest]
Thread overview: 55+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-06-06 17:21 Security flaw in Stateful filtering ?????? Emmanuel Fleury
2002-06-06 17:48 ` Martin Josefsson
2002-06-06 17:54 ` Maciej Soltysiak
2002-06-06 18:52 ` Emmanuel Fleury
2002-06-06 19:11 ` Maciej Soltysiak
2002-06-06 19:30 ` Guillaume Morin
2002-06-06 19:53 ` Patrick Schaaf
2002-06-06 19:43 ` Henrik Nordstrom
2002-06-06 17:57 ` Patrick Schaaf
2002-06-06 18:34 ` Emmanuel Fleury
2002-06-06 19:12 ` Patrick Schaaf
2002-06-06 19:28 ` Emmanuel Fleury
2002-06-06 19:27 ` Henrik Nordstrom
2002-06-06 20:50 ` Emmanuel Fleury
2002-06-06 21:26 ` Henrik Nordstrom [this message]
-- strict thread matches above, loose matches on Subject: below --
2002-06-06 19:29 Sneppe Filip
2002-06-06 22:15 Andy Whitcroft
[not found] <20020606220914.A14542@groar.org>
2002-06-06 23:31 ` Rusty Russell
2002-06-06 23:52 ` Joerg Mayer
2002-06-07 2:10 ` Rusty Russell
2002-06-07 2:53 ` Joerg Mayer
2002-06-07 12:45 ` Marcus Sundberg
2002-06-07 14:36 ` Henrik Nordstrom
2002-06-07 21:48 ` Ben Reser
2002-06-07 8:15 ` Emmanuel Fleury
2002-06-07 8:50 ` Oskar Andreasson
2002-06-07 12:27 ` Jozsef Kadlecsik
2002-06-10 8:04 ` Oskar Andreasson
2002-06-10 8:26 ` Emmanuel Fleury
2002-06-12 9:23 ` Jozsef Kadlecsik
2002-06-07 9:05 ` Henrik Nordstrom
2002-06-07 9:31 ` Emmanuel Fleury
2002-06-07 9:41 ` Oskar Andreasson
2002-06-07 9:43 ` Guillaume Morin
2002-06-07 9:57 ` Emmanuel Fleury
2002-06-07 10:17 ` Guillaume Morin
2002-06-07 11:30 ` Emmanuel Fleury
2002-06-07 13:33 ` Guillaume Morin
2002-06-07 15:13 ` Emmanuel Fleury
2002-06-07 18:36 ` Guillaume Morin
2002-06-07 19:00 ` Patrick Schaaf
2002-06-08 2:06 ` Emmanuel Fleury
2002-06-08 8:21 ` Patrick Schaaf
2002-06-08 12:02 ` Henrik Nordstrom
2002-06-09 7:03 ` Emmanuel Fleury
2002-06-09 8:29 ` Patrick Schaaf
2002-06-08 1:42 ` Emmanuel Fleury
2002-06-07 10:17 ` Henrik Nordstrom
2002-06-07 10:11 ` Henrik Nordstrom
2002-06-07 22:02 ` Ben Reser
2002-06-08 2:13 ` Emmanuel Fleury
2002-06-08 8:23 ` Patrick Schaaf
2002-06-08 16:41 ` Ben Reser
2002-06-07 9:42 Mikkel Christiansen
2002-06-08 7:44 ` Harald Welte
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200206062326.49227.hno@marasystems.com \
--to=hno@marasystems.com \
--cc=fleury@cs.auc.dk \
--cc=netfilter-devel@lists.samba.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.