From: Matteo Croce <rootkit85@yahoo.it>
To: netfilter-devel@lists.netfilter.org
Subject: Re: UNWANTED state
Date: Fri, 31 Dec 2004 14:15:53 +0100 [thread overview]
Message-ID: <200412311415.53465.rootkit85@yahoo.it> (raw)
In-Reply-To: <20041231055657.GA3759@alpha.home.local>
> In other terms, you would then do something like this :
>
> -A INPUT -m state ESTABLISHED -j ACCEPT
> -A INPUT -m state RELATED -p tcp --dport 113 -j REJECT --reject-with tcp-reset
> -A INPUT -m state RELATED -j ACCEPT
> ... check for new connections here then final drop ...
> -A INPUT -j DROP
>
> A last solution would be the RECENT match. You create an entry when
> establishing the outgoing session, and you match against it in return so that
> only this address has the permission to receive a REJECT.
here is my iptables -L output:
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere anywhere state INVALID,UNTRACKED
DROP icmp -- anywhere anywhere icmp echo-request
REJECT tcp -- anywhere anywhere tcp dpt:auth reject-with icmp-port-unreachable
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/RST,ACK
Add the patch that doesn't respond on closed udp ports with an ICMP, and i have
the system sthealted with only 3 rules.
But I also know that the kernel patch and the rule that drops RST/ACKs are very ugly hacks.
Don't forget that this ugly hack works even for loopback!
> You know, it's enough that you have *one* open port for an attacker to be
> able to do this, be it SMTP, HTTP, SSH, or anything else...
Yes, but in most tipical end-user systems, open ports will be only:
20 for non PASV ftp transfers
some ports for IRC's DCC transfer
some ports for P2P apps
These ports are open only when needed, and (apart for p2p)
the program that opens them accepts only one connection.
So is almost impossible being DOSsed whit traffic on port 20 or so..
> Regards,
> Willy
Regards,
Matteo
--
.""`. Matteo Croce <rootkit85@yahoo.it>
: :" : proud Debian admin and user
`. `"`
`- Debian - when you have better things to do than fix a system
next prev parent reply other threads:[~2004-12-31 13:15 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-12-29 23:42 UNWANTED state Matteo Croce
2004-12-29 23:56 ` Phil Oester
2004-12-30 0:39 ` Matteo Croce
2004-12-31 5:56 ` Willy Tarreau
2004-12-31 13:15 ` Matteo Croce [this message]
-- strict thread matches above, loose matches on Subject: below --
2004-12-29 22:58 Matteo Croce
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200412311415.53465.rootkit85@yahoo.it \
--to=rootkit85@yahoo.it \
--cc=netfilter-devel@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.