From: jpiszcz <jpiszcz@lucidpixels.com>
To: netfilter@lists.netfilter.org
Subject: Evil bug in netfilter/kernel 2.4.x?
Date: Mon, 10 Feb 2003 17:28:16 -0500 [thread overview]
Message-ID: <3E482780.2090903@lucidpixels.com> (raw)
http://iptables-tutorial.frozentux.net/iptables-tutorial.html
"As a secondary note, if you use connection tracking you will not see
any fragmented packets, since they are dealt with before hitting any
chain or table in iptables."
PROBLEM:
root@p300:/etc/rc.d# iptables -t filter -I INPUT -f -j LOG --log-level 3
--log-prefix "FRAG: "
root@p300:/etc/rc.d# iptables -I INPUT -f -j LOG --log-level 3
--log-prefix "FRAG: "
root@p300:/etc/rc.d# iptables -I INPUT -f -j LOG --log-level 3
--log-prefix "FRAG: "
root@p300:/etc/rc.d# iptables -I INPUT -f -j DROP
I've tried all of these, each one by itself.
However, when I run tcpdump, I can clearly see these are not getting
dropped or logged by the kernel.
I like conn_track for DCC/FTP connections, however, to get logging &
dropping of fragmented packets working properly, I must recompile
without the conn_tracker's?
Wouldn't this be considered as a bug? Someone could be
pounding/scanning you with fragmented packets, and you would never see
it, as many people run the DCC and/or FTP connection trackers!
box1# nmap -sS -P0 -f -p 1-65535 box2.com
17:11:52.659286 box1.com > box2.com: (frag 2729:4@16)
17:11:52.661416 box1.com > box2.com: (frag 986:4@16)
17:11:52.663400 box1.com > box2.com: (frag 61814:4@16)
17:11:52.665398 box1.com > box2.com: (frag 30216:4@16)
17:11:52.667401 box1.com > box2.com: (frag 4100:4@16)
17:11:52.669392 box1.com > box2.com: (frag 61387:4@16)
947 packets received by filter
0 packets dropped by kernel
Is it possible in anyway to log/drop/match fragmented packets with
connection tracking turned on?
next reply other threads:[~2003-02-10 22:28 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-02-10 22:28 jpiszcz [this message]
2003-02-11 0:22 ` Evil bug in netfilter/kernel 2.4.x? Arnt Karlsen
-- strict thread matches above, loose matches on Subject: below --
2003-02-10 22:32 jpiszcz
2003-02-11 12:31 ` Gianni Tedesco
2003-02-11 14:26 ` jpiszcz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3E482780.2090903@lucidpixels.com \
--to=jpiszcz@lucidpixels.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.