From: Matteo Croce <3297627799@wind.it>
To: netfilter-devel@lists.netfilter.org
Subject: UNWANTED state
Date: Wed, 29 Dec 2004 23:58:15 +0100 [thread overview]
Message-ID: <200412292358.16490.3297627799@wind.it> (raw)
[-- Attachment #1: Type: text/plain, Size: 1173 bytes --]
Hi,
time ago i wanted to stealth may gateway, so i start dropping outgoing
icmp-port-unreachable packets, to avoid UDP scans.
But i had also a '--dport 113 -j REJECT' target to allow faster irc logins,
that stopped working since those ICMP were rejected by the new rule.
So i hacked the kernel with a patch i also attach, to prevent those packets
being generated.
I also start dropping outgoing RST/ACK to prevent TCP scans, but now i have a
question:
can an UNWANTED state be useful?
I mean, incoming packets which dstport is closed were classified as UNWANTED.
So were possible to drop UNWANTED packets, and a port will be open when some
service listens to it and filtered (not closed) when the service doesn't
listens.
A simple firewall is having a DROP default policy and open used ports.
But what happens when the service listening behind that port stop listenings?
The port remains not filtered, and send RST/ACK (or icmp-port-unreachable)
when someone tries to connect to it.
Regards, Matteo
--
.""`. Matteo Croce <3297627799@wind.it>
: :" : proud Debian admin and user
`. `"`
`- Debian - when you have better things to do than fix a system
[-- Attachment #2: udp.diff --]
[-- Type: text/x-diff, Size: 956 bytes --]
diff -urN linux-2.6.10-vanilla/net/ipv4/udp.c linux-2.6.10/net/ipv4/udp.c
--- linux-2.6.10-vanilla/net/ipv4/udp.c 2004-12-26 17:17:09.000000000 +0100
+++ linux-2.6.10/net/ipv4/udp.c 2004-12-29 02:57:26.000000000 +0100
@@ -1165,7 +1165,7 @@
goto csum_error;
UDP_INC_STATS_BH(UDP_MIB_NOPORTS);
- icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0);
+// icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0);
/*
* Hmm. We got an UDP packet to a port to which we
diff -urN linux-2.6.10-vanilla/net/ipv6/udp.c linux-2.6.10/net/ipv6/udp.c
--- linux-2.6.10-vanilla/net/ipv6/udp.c 2004-12-26 17:17:10.000000000 +0100
+++ linux-2.6.10/net/ipv6/udp.c 2004-12-29 02:57:48.000000000 +0100
@@ -523,7 +523,7 @@
goto discard;
UDP6_INC_STATS_BH(UDP_MIB_NOPORTS);
- icmpv6_send(skb, ICMPV6_DEST_UNREACH, ICMPV6_PORT_UNREACH, 0, dev);
+// icmpv6_send(skb, ICMPV6_DEST_UNREACH, ICMPV6_PORT_UNREACH, 0, dev);
kfree_skb(skb);
return(0);
next reply other threads:[~2004-12-29 22:58 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-12-29 22:58 Matteo Croce [this message]
-- strict thread matches above, loose matches on Subject: below --
2004-12-29 23:42 UNWANTED state Matteo Croce
2004-12-29 23:56 ` Phil Oester
2004-12-30 0:39 ` Matteo Croce
2004-12-31 5:56 ` Willy Tarreau
2004-12-31 13:15 ` Matteo Croce
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200412292358.16490.3297627799@wind.it \
--to=3297627799@wind.it \
--cc=netfilter-devel@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.