From: Emmanuel Fleury <fleury@cs.auc.dk>
To: netfilter-devel@lists.samba.org
Subject: ACK is NEW: Conclusion ? (was:Re: Security flaw in Stateful filtering ??????)
Date: Sat, 08 Jun 2002 11:07:46 +0200 [thread overview]
Message-ID: <3D01C962.1060309@cs.auc.dk> (raw)
In-Reply-To: 20020607220256.GT28055@titanium.brain.org
Hi all,
Ok, let's conclude this thread.
What was the initial problem ?:
-------------------------------
FAQ: Some invalid ACK packets are going through my firewall !!!
By reading the current documentation, most of the people are assuming
that there is a perfect match between the states of the TCP protocol
and the states of the connection tracking module (NEW, ESTABLISHED,
RELATED and INVALID).
This is wrong !
For example, the state NEW of the connection tracking module is
matching much more than the three way handshake initiating a TCP
connection. Actually, all the ACK packets which are not part of a
registered connection are matched as NEW and will create a new
entry in the table. In the same way, the FIN and RST packets which are
not part of any existing connection will create a new entry.
This behaviour is _not_ a bug of Netfilter, it is intended in order
to avoid to shut down the pending connections after a reboot of the
firewall.
The solution to fix this behaviour in the ruleset is to write:
# Disallow INVALID packets (must be in first position)
iptables -A FORWARD -m state --state INVALID -j DROP
# Allow existing connections
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
...
For more details, the precise behaviour of the state machine of the
connection tracking module can be found in: ip_conntrack_proto_tcp.c.
Some pending questions:
-----------------------
1) How to Define NEW and INVALID ?
Well, actually, the NEW and INVALID states does not exist, except
in a user point of view (where is the definition of those states in the
code ?). They are both matching the NO state which can probably be
defined as:
All the packets which are not part of a connection.
Therefore, it is difficult for me to define NEW and INVALID precisely.
If somebody can make this point clear, I would be pleased.
2) What documentation to fix ?
I would say that this feature require at least an entry in the FAQ
(the first part of this post can probably be used for this, I already
agree on every necessary modification of this text).
If a clear definition of what NEW and INVALID states are matching can
be done, the packet-filtering-HOWTO should be modified in consequence.
Moreover, this behaviour should be recalled as often as possible
in order to avoid the confusion between the states of the connection
tracking module and the states of the TCP protocol.
Hope this help.
--
Emmanuel
The real fun of living wisely is that you get to be smug about it.
-- Calvin & Hobbes (Bill Waterson)
prev parent reply other threads:[~2002-06-08 9:07 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20020606220914.A14542@groar.org>
2002-06-06 23:31 ` Security flaw in Stateful filtering ?????? Rusty Russell
2002-06-06 23:52 ` Joerg Mayer
2002-06-07 2:10 ` Rusty Russell
2002-06-07 2:53 ` Joerg Mayer
2002-06-07 12:45 ` Marcus Sundberg
2002-06-07 14:36 ` Henrik Nordstrom
2002-06-07 21:48 ` Ben Reser
2002-06-07 8:15 ` Emmanuel Fleury
2002-06-07 8:50 ` Oskar Andreasson
2002-06-07 12:27 ` Jozsef Kadlecsik
2002-06-10 8:04 ` Oskar Andreasson
2002-06-10 8:26 ` Emmanuel Fleury
2002-06-12 9:23 ` Jozsef Kadlecsik
2002-06-07 9:05 ` Henrik Nordstrom
2002-06-07 9:31 ` Emmanuel Fleury
2002-06-07 9:41 ` Oskar Andreasson
2002-06-07 9:43 ` Guillaume Morin
2002-06-07 9:57 ` Emmanuel Fleury
2002-06-07 10:17 ` Guillaume Morin
2002-06-07 11:30 ` Emmanuel Fleury
2002-06-07 13:33 ` Guillaume Morin
2002-06-07 15:13 ` Emmanuel Fleury
2002-06-07 18:36 ` Guillaume Morin
2002-06-07 19:00 ` Patrick Schaaf
2002-06-08 2:06 ` Emmanuel Fleury
2002-06-08 8:21 ` Patrick Schaaf
2002-06-08 12:02 ` Henrik Nordstrom
2002-06-09 7:03 ` Emmanuel Fleury
2002-06-09 8:29 ` Patrick Schaaf
2002-06-08 1:42 ` Emmanuel Fleury
2002-06-07 10:17 ` Henrik Nordstrom
2002-06-07 10:11 ` Henrik Nordstrom
2002-06-07 22:02 ` Ben Reser
2002-06-08 2:13 ` Emmanuel Fleury
2002-06-08 8:23 ` Patrick Schaaf
2002-06-08 16:41 ` Ben Reser
2002-06-08 9:07 ` Emmanuel Fleury [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3D01C962.1060309@cs.auc.dk \
--to=fleury@cs.auc.dk \
--cc=netfilter-devel@lists.samba.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.