From: Henrik Nordstrom <hno@marasystems.com>
To: netfilter-devel@lists.samba.org, Emmanuel Fleury <fleury@cs.auc.dk>
Subject: Re: Security flaw in Stateful filtering ??????
Date: Fri, 7 Jun 2002 12:11:16 +0200 [thread overview]
Message-ID: <200206071211.16173.hno@marasystems.com> (raw)
In-Reply-To: <3D007D73.9030609@cs.auc.dk>
Emmanuel Fleury wrote:
> Henrik Nordstrom wrote:
> > This configuration can be done just fine with iptables as demonstrated in
> > my earlier message, but here we go again (but slightly different):
> >
> > # Allow existing connections
> > iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> > # Allow hidden net to initiate new connections (including connection
> > pickup) iptables -A FORWARD -i eth0 -j ACCEPT
> > # Drop anything else
> > iptables -A FORWARD -j DROP
>
> Sorry, I don't understand something ! :-/
>
> Does that mean that you DROP all the ACKs, even those which are valid ?
Valid ACKs (including SYN,ACK, ICMP errors etc) are matched by the first rule
as these will be ESTABLISHED.
Hidden network sends SYN, this gets state NEW in the firewall and do not match
the first rule. The second rule then picks up the packet and allows it to be
sent out as it is sent from the trusted network (eth0), thereby allowing the
conntrack entry to be created.
SYN+ACK received from the called server, matching the conntrack entry created
by the SYN and gets matched as ESTABLISHED in the first rule.
Future ACK's matching this conntrack gets matched by the first rule as
ESTABLISHED.
Now, lets assume the firewall reboots or other action causing the conntrack
entry to disappear from the netfilter connection tracking table.
Server (external / eth1) sends ACK. As there is no conntrack entry this gets
state NEW and is NOT matched by the first rule, and as it is not initiated
from your hidden network (eth0) it is NOT allowed by the second rule and gets
denied by the third rule. As the packet is not allowed no conntrack entry
gets ceated here.
Client (internal / eth0) sends ACK. As there is no conntrack entry this is a
NEW packet and is not accepted by the first rule. But as the second rule
allows anything from the inside the packet is accepted, allowing the
conntrack entry to be created.
Server sends ACK after receiving the client ACK. This matches the conntrack
entry created above and will be matched as ESTABLISHED by the first rule and
the connection tracking state has been fully restored.
Regards
Henrik
next prev parent reply other threads:[~2002-06-07 10:11 UTC|newest]
Thread overview: 56+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20020606220914.A14542@groar.org>
2002-06-06 23:31 ` Security flaw in Stateful filtering ?????? Rusty Russell
2002-06-06 23:52 ` Joerg Mayer
2002-06-07 2:10 ` Rusty Russell
2002-06-07 2:53 ` Joerg Mayer
2002-06-07 12:45 ` Marcus Sundberg
2002-06-07 14:36 ` Henrik Nordstrom
2002-06-07 21:48 ` Ben Reser
2002-06-07 8:15 ` Emmanuel Fleury
2002-06-07 8:50 ` Oskar Andreasson
2002-06-07 12:27 ` Jozsef Kadlecsik
2002-06-10 8:04 ` Oskar Andreasson
2002-06-10 8:26 ` Emmanuel Fleury
2002-06-12 9:23 ` Jozsef Kadlecsik
2002-06-07 9:05 ` Henrik Nordstrom
2002-06-07 9:31 ` Emmanuel Fleury
2002-06-07 9:41 ` Oskar Andreasson
2002-06-07 9:43 ` Guillaume Morin
2002-06-07 9:57 ` Emmanuel Fleury
2002-06-07 10:17 ` Guillaume Morin
2002-06-07 11:30 ` Emmanuel Fleury
2002-06-07 13:33 ` Guillaume Morin
2002-06-07 15:13 ` Emmanuel Fleury
2002-06-07 18:36 ` Guillaume Morin
2002-06-07 19:00 ` Patrick Schaaf
2002-06-08 2:06 ` Emmanuel Fleury
2002-06-08 8:21 ` Patrick Schaaf
2002-06-08 12:02 ` Henrik Nordstrom
2002-06-09 7:03 ` Emmanuel Fleury
2002-06-09 8:29 ` Patrick Schaaf
2002-06-08 1:42 ` Emmanuel Fleury
2002-06-07 10:17 ` Henrik Nordstrom
2002-06-07 10:11 ` Henrik Nordstrom [this message]
2002-06-07 22:02 ` Ben Reser
2002-06-08 2:13 ` Emmanuel Fleury
2002-06-08 8:23 ` Patrick Schaaf
2002-06-08 16:41 ` Ben Reser
2002-06-08 9:07 ` ACK is NEW: Conclusion ? (was:Re: Security flaw in Stateful filtering ??????) Emmanuel Fleury
2002-06-07 9:42 Security flaw in Stateful filtering ?????? Mikkel Christiansen
2002-06-08 7:44 ` Harald Welte
-- strict thread matches above, loose matches on Subject: below --
2002-06-06 22:15 Andy Whitcroft
2002-06-06 19:29 Sneppe Filip
2002-06-06 17:21 Emmanuel Fleury
2002-06-06 17:48 ` Martin Josefsson
2002-06-06 17:54 ` Maciej Soltysiak
2002-06-06 18:52 ` Emmanuel Fleury
2002-06-06 19:11 ` Maciej Soltysiak
2002-06-06 19:30 ` Guillaume Morin
2002-06-06 19:53 ` Patrick Schaaf
2002-06-06 19:43 ` Henrik Nordstrom
2002-06-06 17:57 ` Patrick Schaaf
2002-06-06 18:34 ` Emmanuel Fleury
2002-06-06 19:12 ` Patrick Schaaf
2002-06-06 19:28 ` Emmanuel Fleury
2002-06-06 19:27 ` Henrik Nordstrom
2002-06-06 20:50 ` Emmanuel Fleury
2002-06-06 21:26 ` Henrik Nordstrom
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200206071211.16173.hno@marasystems.com \
--to=hno@marasystems.com \
--cc=fleury@cs.auc.dk \
--cc=netfilter-devel@lists.samba.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.