From: Emmanuel Fleury <fleury@cs.auc.dk>
To: netfilter-devel@lists.samba.org
Subject: Re: Security flaw in Stateful filtering ??????
Date: Sun, 09 Jun 2002 09:03:27 +0200 [thread overview]
Message-ID: <3D02FDBF.6070005@cs.auc.dk> (raw)
In-Reply-To: 200206081402.17562@henrik.marasystems.com
Hi,
Excellent.
Thanks a lot for pointing ip_conntrack_core.c and explain all this !
Henrik Nordstrom wrote:
>
....
> The above states are "ctinfo" and is derived from the conntrack state
> flags and the packet currently being processed. The actual conntrack
> state flags are:
>
> ASSURED
> The protocol (TCP/UDP/IMCP...) has seen the initiation and
> establishment of this connection. For TCP this requires seeing the
> whole SYN -> SYN+ACK -> ACK transition, for UDP and ICMP it simply is
> seeing traffic in both directions..
>
> SEEN_REPLY
> There has been traffic seen in both directions on this connection.
> This is what makes conntrack packet state ESTABLISHED.
>
> EXPECTED
> This connection is identified as belonging to another connection. This
> is what makes conntrack packet state RELATED.
>
> If neither of SEEN_REPLY or EXPECTED is true for the connection then
> the packet state is NEW.
Ok.
I think I can see now why you didn't went to much in depth in the
packet-filtering HOWTO. The stateful module could require a full HOWTO
for itself if you want to fully understand it... :-/
The problem is that the definition of the HOWTO states that NEW match:
A packet which creates a new connection.
That's not true if you consider this from the protocol point of view
(and the confusion is happening very often). I could suggest something
like:
A packet which creates a new entry in the connection table
(Warning: NEW is matching all the packets which are creating a
connection in the considered protocol plus some others. For
example, considering the TCP protocol, an ACK packet which is not
part of an existing connection will also match the state NEW).
If you are agree on this modification, I'll do the patch against the
CVS archive.
(By the way, I can add also my proposition in the FAQ if everybody is
agree).
All suggestions or modifications are welcome.
> Of these, only ASSURED is directly dependent on the TCP connection
> tracking state, the others are only dependent on the ability of
> identifying which connection the packet may belong to.
Actually, ASSURED seems to be related to all the protocols which
expect a confirmation from the receiver before establishing the
connection (but in your case only TCP need a confirmation. UDP and
ICMP does not need this). Right ?
Regards
--
Emmanuel
Go not to Usenet for counsel, for it will say both
no, and yes, and no, and yes, and no, ....
-- Unknown
next prev parent reply other threads:[~2002-06-09 7:03 UTC|newest]
Thread overview: 56+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20020606220914.A14542@groar.org>
2002-06-06 23:31 ` Security flaw in Stateful filtering ?????? Rusty Russell
2002-06-06 23:52 ` Joerg Mayer
2002-06-07 2:10 ` Rusty Russell
2002-06-07 2:53 ` Joerg Mayer
2002-06-07 12:45 ` Marcus Sundberg
2002-06-07 14:36 ` Henrik Nordstrom
2002-06-07 21:48 ` Ben Reser
2002-06-07 8:15 ` Emmanuel Fleury
2002-06-07 8:50 ` Oskar Andreasson
2002-06-07 12:27 ` Jozsef Kadlecsik
2002-06-10 8:04 ` Oskar Andreasson
2002-06-10 8:26 ` Emmanuel Fleury
2002-06-12 9:23 ` Jozsef Kadlecsik
2002-06-07 9:05 ` Henrik Nordstrom
2002-06-07 9:31 ` Emmanuel Fleury
2002-06-07 9:41 ` Oskar Andreasson
2002-06-07 9:43 ` Guillaume Morin
2002-06-07 9:57 ` Emmanuel Fleury
2002-06-07 10:17 ` Guillaume Morin
2002-06-07 11:30 ` Emmanuel Fleury
2002-06-07 13:33 ` Guillaume Morin
2002-06-07 15:13 ` Emmanuel Fleury
2002-06-07 18:36 ` Guillaume Morin
2002-06-07 19:00 ` Patrick Schaaf
2002-06-08 2:06 ` Emmanuel Fleury
2002-06-08 8:21 ` Patrick Schaaf
2002-06-08 12:02 ` Henrik Nordstrom
2002-06-09 7:03 ` Emmanuel Fleury [this message]
2002-06-09 8:29 ` Patrick Schaaf
2002-06-08 1:42 ` Emmanuel Fleury
2002-06-07 10:17 ` Henrik Nordstrom
2002-06-07 10:11 ` Henrik Nordstrom
2002-06-07 22:02 ` Ben Reser
2002-06-08 2:13 ` Emmanuel Fleury
2002-06-08 8:23 ` Patrick Schaaf
2002-06-08 16:41 ` Ben Reser
2002-06-08 9:07 ` ACK is NEW: Conclusion ? (was:Re: Security flaw in Stateful filtering ??????) Emmanuel Fleury
2002-06-07 9:42 Security flaw in Stateful filtering ?????? Mikkel Christiansen
2002-06-08 7:44 ` Harald Welte
-- strict thread matches above, loose matches on Subject: below --
2002-06-06 22:15 Andy Whitcroft
2002-06-06 19:29 Sneppe Filip
2002-06-06 17:21 Emmanuel Fleury
2002-06-06 17:48 ` Martin Josefsson
2002-06-06 17:54 ` Maciej Soltysiak
2002-06-06 18:52 ` Emmanuel Fleury
2002-06-06 19:11 ` Maciej Soltysiak
2002-06-06 19:30 ` Guillaume Morin
2002-06-06 19:53 ` Patrick Schaaf
2002-06-06 19:43 ` Henrik Nordstrom
2002-06-06 17:57 ` Patrick Schaaf
2002-06-06 18:34 ` Emmanuel Fleury
2002-06-06 19:12 ` Patrick Schaaf
2002-06-06 19:28 ` Emmanuel Fleury
2002-06-06 19:27 ` Henrik Nordstrom
2002-06-06 20:50 ` Emmanuel Fleury
2002-06-06 21:26 ` Henrik Nordstrom
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3D02FDBF.6070005@cs.auc.dk \
--to=fleury@cs.auc.dk \
--cc=netfilter-devel@lists.samba.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.