From: "Neal P. Murphy" <neal.p.murphy@alum.wpi.edu>
Cc: "netfilter@vger.kernel.org" <netfilter@vger.kernel.org>
Subject: Re: Iptables Reject with TCP Reset
Date: Tue, 10 Jan 2017 13:32:21 -0500 [thread overview]
Message-ID: <20170110133221.560d3b6d@playground> (raw)
In-Reply-To: <HK2PR0201MB21294E23EB7B6CFD0DE8D406E8670@HK2PR0201MB2129.apcprd02.prod.outlook.com>
On Tue, 10 Jan 2017 10:09:55 +0000
Matt Killock <matt.killock@praemium.com> wrote:
> > The rule you made here makes little sense , It would be preferable to make a more simple rule at "the top" like this ...
> >
> > This will allow "all" traffic for rules you have already allowed through other rules in the FW ( no matter the IP or interface ) .
>
> I note that it would be simpler to have one such rule for RELATED,ESTABLISHED but that's not the way we've done things here, much to Noel's disgust. :)
>
> We've blocked everything, including OUTPUT, by default. There are no general SNAT rules or MASQUERADE. We've tried to allow only the bare minimum required for two-way traffic between a small set of host/port combinations. This has led to some unnecessary duplication of ESTABLISHED rules, and I didn't appreciate that RELATED traffic is what the 'REJECT with TCP-Reset' traffic is classed as but otherwise it makes (some) sense and does work.
This doesn't make much sense. A RELATED packet is the first packet of a new conn that a helper has determined is related to an existing conn (e.g., the data conn of an FTP control session). Once a RELATED packet is replied to, the resulting conn is an ordinary, vanilla ESTABLISHED conn; specifically, the RELATED 'tag' is discarded. When a packet matches a "REJECT with TCP-Reset" rule, netfilter immediately sends a TCP RESET to the end that sent the packet.
It may be that TCP RESET applies to the first TCP SYN packet of a conn. But RESETting only established TCP conns and using ICMP 'admin prohibited' for all other packets works well and is logical.
It almost sounds like you built a nearly stateless firewall.
A rule near the top that allows packets for ESTABLISHED,RELATED conns to pass is more efficient, and is probably significantly more-so on a busy router because *most* packets will be associated with established conns and should be handled without needlessly passing them through all the 'new conn' checks.
next prev parent reply other threads:[~2017-01-10 18:32 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-01-06 15:19 Iptables Reject with TCP Reset Matt Killock
2017-01-06 16:09 ` Noel Kuntze
2017-01-06 16:28 ` Matt Killock
2017-01-06 16:35 ` Noel Kuntze
[not found] ` <HK2PR0201MB212932A38853DB306E300014E8630@HK2PR0201MB2129.apcprd02.prod.outlook.com>
2017-01-06 17:52 ` Noel Kuntze
2017-01-09 10:45 ` Matt Killock
2017-01-10 7:35 ` André Paulsberg-Csibi (IBM Consultant)
2017-01-10 10:09 ` Matt Killock
2017-01-10 11:41 ` André Paulsberg-Csibi (IBM Consultant)
2017-01-10 18:32 ` Neal P. Murphy [this message]
2017-01-10 19:29 ` Matt Killock
2017-01-11 10:21 ` André Paulsberg-Csibi (IBM Consultant)
2017-01-11 10:34 ` Matt Killock
2017-01-06 17:30 ` Ethy H. Brito
2017-01-06 23:26 ` Neal P. Murphy
2017-01-06 23:40 ` Noel Kuntze
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170110133221.560d3b6d@playground \
--to=neal.p.murphy@alum.wpi.edu \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.