From: Emmanuel Fleury <fleury@cs.auc.dk>
To: netfilter-devel@lists.samba.org
Subject: Re: Security flaw in Stateful filtering ??????
Date: Thu, 06 Jun 2002 20:52:13 +0200 [thread overview]
Message-ID: <3CFFAF5D.4010103@cs.auc.dk> (raw)
In-Reply-To: Pine.LNX.4.21.0206061947590.19481-100000@dns.toxicfilms.tv
Maciej Soltysiak wrote:
> Hi,
>
>
>>A Solution:
>>-----------
>>As a temporary hack the following rule can be added as the second rule:
>>
>>iptables -A FORWARD -p tcp --tcp-flags ACK ACK -j DROP
>
> Well, i think everybody who gets to that point uses:
> iptables -A FORWARD -p tcp -m state --state NEW --syn -j ACCEPT
>
> type of rules. new + syn.
>
>
>>However, this is not a solid solution and the code should be modified,
>>as we see it, not to recognize ACK packets as being in the state NEW.
>
> I belive that state NEW says: a packet never seen before. A tuple that
> does not exist in currect tracked connections table.
So, what are the INVALID packets ?????
According to my poor knowledge of TCP, I was classifying the NEW packets
as the packets which were part of the first three way handshake:
SERVER (LISTENING) CLIENT (CONNECTING)
SYN
<-------------------
SYN + ACK
------------------->
ACK
<-------------------
3-Way TCP handshake
After this, I was assuming that we were in the ESTABLISHED state.
Regards
--
Emmanuel
Premature optimization is the root of all evil.
-- Donald Knuth
next prev parent reply other threads:[~2002-06-06 18:52 UTC|newest]
Thread overview: 55+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-06-06 17:21 Security flaw in Stateful filtering ?????? Emmanuel Fleury
2002-06-06 17:48 ` Martin Josefsson
2002-06-06 17:54 ` Maciej Soltysiak
2002-06-06 18:52 ` Emmanuel Fleury [this message]
2002-06-06 19:11 ` Maciej Soltysiak
2002-06-06 19:30 ` Guillaume Morin
2002-06-06 19:53 ` Patrick Schaaf
2002-06-06 19:43 ` Henrik Nordstrom
2002-06-06 17:57 ` Patrick Schaaf
2002-06-06 18:34 ` Emmanuel Fleury
2002-06-06 19:12 ` Patrick Schaaf
2002-06-06 19:28 ` Emmanuel Fleury
2002-06-06 19:27 ` Henrik Nordstrom
2002-06-06 20:50 ` Emmanuel Fleury
2002-06-06 21:26 ` Henrik Nordstrom
-- strict thread matches above, loose matches on Subject: below --
2002-06-06 19:29 Sneppe Filip
2002-06-06 22:15 Andy Whitcroft
[not found] <20020606220914.A14542@groar.org>
2002-06-06 23:31 ` Rusty Russell
2002-06-06 23:52 ` Joerg Mayer
2002-06-07 2:10 ` Rusty Russell
2002-06-07 2:53 ` Joerg Mayer
2002-06-07 12:45 ` Marcus Sundberg
2002-06-07 14:36 ` Henrik Nordstrom
2002-06-07 21:48 ` Ben Reser
2002-06-07 8:15 ` Emmanuel Fleury
2002-06-07 8:50 ` Oskar Andreasson
2002-06-07 12:27 ` Jozsef Kadlecsik
2002-06-10 8:04 ` Oskar Andreasson
2002-06-10 8:26 ` Emmanuel Fleury
2002-06-12 9:23 ` Jozsef Kadlecsik
2002-06-07 9:05 ` Henrik Nordstrom
2002-06-07 9:31 ` Emmanuel Fleury
2002-06-07 9:41 ` Oskar Andreasson
2002-06-07 9:43 ` Guillaume Morin
2002-06-07 9:57 ` Emmanuel Fleury
2002-06-07 10:17 ` Guillaume Morin
2002-06-07 11:30 ` Emmanuel Fleury
2002-06-07 13:33 ` Guillaume Morin
2002-06-07 15:13 ` Emmanuel Fleury
2002-06-07 18:36 ` Guillaume Morin
2002-06-07 19:00 ` Patrick Schaaf
2002-06-08 2:06 ` Emmanuel Fleury
2002-06-08 8:21 ` Patrick Schaaf
2002-06-08 12:02 ` Henrik Nordstrom
2002-06-09 7:03 ` Emmanuel Fleury
2002-06-09 8:29 ` Patrick Schaaf
2002-06-08 1:42 ` Emmanuel Fleury
2002-06-07 10:17 ` Henrik Nordstrom
2002-06-07 10:11 ` Henrik Nordstrom
2002-06-07 22:02 ` Ben Reser
2002-06-08 2:13 ` Emmanuel Fleury
2002-06-08 8:23 ` Patrick Schaaf
2002-06-08 16:41 ` Ben Reser
2002-06-07 9:42 Mikkel Christiansen
2002-06-08 7:44 ` Harald Welte
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3CFFAF5D.4010103@cs.auc.dk \
--to=fleury@cs.auc.dk \
--cc=netfilter-devel@lists.samba.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.