From: David Cannings <lists@edeca.net>
To: netfilter@lists.netfilter.org
Subject: Re: Can I only allow those normal TCP 3-handshake packets through my firewall?
Date: Wed, 28 Apr 2004 15:50:14 +0100 [thread overview]
Message-ID: <200404281550.14493.lists@edeca.net> (raw)
In-Reply-To: <408FA76E.2040302@cis.nctu.edu.tw>
On Wednesday 28 April 2004 13:45, u9067580@cis.nctu.edu.tw wrote:
> I use a test tool to verify my iptables firewall, but unfortunately it
> doesn't pass. The test tool doesn't follow the normal TCP 3-handshake
> Syn->SynAck->Ack, it goes as below.
> 1. A:25205 ---SYN---> B:80
> 2. A:25205 <---SYN--- B:80
> (ie. 25205 and 80 are port numbers)
> My test report tells me that it can successfully send a reply (2nd)
> packet, which only has SYN flag, through my firewall. I found the tcp
> tracking state is SYN_RECV from the /proc/net/ip_conntrack after the
> 2nd packet is pass. As my understood, the SYN_RECV only happens when
> the "Syn+Ack" packet is pass, doesn't it?
No. If a packet with the SYN and ACK packets is received in response to a
packet with only SYN sent, you send an ACK (the third part of the three
way handshake) and enter the ESTABLISHED state. The "normal" three way
handshake does not enter the SYN_RECEIVED state on the client side.
What you are seeing is perfectly valid, receiving a packet with only SYN
set in response to the first step of the three way handshake enters
SYN_RECEIVED and is called a "simultaneous open". Using Google Image
Search for "tcp state diagram" will bring up a multitude of diagrams
which show this.
> Besides, can I only allow those normal TCP 3-handshake packets through
> my firewall?
Just using conntrack as normal and denying any NEW packets to ports that
shouldn't have daemons listening on them probably will not stop these
packets. Denying these packets using the --syn flag, for ports that
should not have daemons on, should work. I have not tested it but I
believe this would stop the situation you describe. If you do test this,
please post your results so I and others know whether it works or not.
Note that what you are seeing is an acceptable situation however, you may
not wish to block it.
Hope that helps,
David
prev parent reply other threads:[~2004-04-28 14:50 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-04-28 12:45 Can I only allow those normal TCP 3-handshake packets through my firewall? u9067580
2004-04-28 14:50 ` David Cannings [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200404281550.14493.lists@edeca.net \
--to=lists@edeca.net \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.