From: Willy Tarreau <willy@w.ods.org>
To: Matteo Croce <rootkit85@yahoo.it>
Cc: netfilter-devel@lists.netfilter.org
Subject: Re: UNWANTED state
Date: Fri, 31 Dec 2004 06:56:57 +0100 [thread overview]
Message-ID: <20041231055657.GA3759@alpha.home.local> (raw)
In-Reply-To: <200412300139.49266.rootkit85@yahoo.it>
On Thu, Dec 30, 2004 at 01:39:48AM +0100, Matteo Croce wrote:
> > On Thu, Dec 30, 2004 at 12:42:17AM +0100, Matteo Croce wrote:
> > Perhaps you should consider using:
> >
> > --dport 113 -j REJECT --reject-with tcp-reset
> > instead of hacking the kernel to disable icmp rejects?
> >
>
> # iptables -I INPUT 1 -p tcp --dport 4567 -j REJECT --reject-with tcp-reset
> # hping3 127.0.0.1 -p 4567 -S
> HPING 127.0.0.1 (lo 127.0.0.1): S set, 40 headers + 0 data bytes
> len=40 ip=127.0.0.1 ttl=255 DF id=0 sport=4567 flags=RA seq=0 win=0 rtt=0
>
>
> --reject-with tcp-reset sends RST/ACK that are dropped by my firewall
it seems to me that you forgot to add the following rule for the RST packet
to go out :
# iptables -I OUTPUT -m state --state ESTABLISHED -j ACCEPT
Regards,
willy
> > Why do you care if people get an icmp unreachable when
> > the service is down? You aren't making the box more secure IMO by not
> > allowing the icmp error outbound.
>
> Tryng to reduce at minimum unneeded traffic is a sort of protection against
> DOS.
Normally, you should be able to do most of this by checking for ESTABLISHED
and RELATED states. I don't know if there is a relation between your port 113
and the service you're using, but I believe that a cleaner solution would be
to add this relation to the conntrack helper associated to your particular
service.
In other terms, you would then do something like this :
-A INPUT -m state ESTABLISHED -j ACCEPT
-A INPUT -m state RELATED -p tcp --dport 113 -j REJECT --reject-with tcp-reset
-A INPUT -m state RELATED -j ACCEPT
... check for new connections here then final drop ...
-A INPUT -j DROP
A last solution would be the RECENT match. You create an entry when
establishing the outgoing session, and you match against it in return so that
only this address has the permission to receive a REJECT.
> Let's say i have a 4096/400 ADSL.
> Someone with a ~512kbit upload can send me an large amount of data on a closed
> port with something like 'hping3 <IP> -S -p <PORT> --flood', and my 400kbit
> upload
> will be unable to send 512Kbit of RST/ACKs.
You know, it's enough that you have *one* open port for an attacker to be able
to do this, be it SMTP, HTTP, SSH, or anything else...
Regards,
Willy
next prev parent reply other threads:[~2004-12-31 5:56 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-12-29 23:42 UNWANTED state Matteo Croce
2004-12-29 23:56 ` Phil Oester
2004-12-30 0:39 ` Matteo Croce
2004-12-31 5:56 ` Willy Tarreau [this message]
2004-12-31 13:15 ` Matteo Croce
-- strict thread matches above, loose matches on Subject: below --
2004-12-29 22:58 Matteo Croce
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20041231055657.GA3759@alpha.home.local \
--to=willy@w.ods.org \
--cc=netfilter-devel@lists.netfilter.org \
--cc=rootkit85@yahoo.it \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.