From: Rahul Jadhav <rahul@iatp.org>
To: Cedric Blancher <blancher@cartel-securite.fr>
Cc: netfilter@lists.netfilter.org
Subject: Re: new tcp connections, without SYN
Date: Thu, 10 Apr 2003 12:53:07 -0500 [thread overview]
Message-ID: <3E95AF83.5050508@iatp.org> (raw)
In-Reply-To: 1049964481.790.4.camel@elendil.intranet.cartel-securite.net
I have been following your messages for a while now and I tried the '!
--syn' and '--state NEW, RELATED' rule without much success. I am trying
to completely block the nmap -P0 and -PS probes.
Now I know I might need to recompile iptables with tcp-nopickup patch.
Can you please elaborate more on what it does.
And, also someone please write back rules to block port scans (do I HAVE
to block ICMP completely for that?).
Rahul
Cedric Blancher wrote:
>Le mer 09/04/2003 à 18:04, dhiraj.2.bhuyan@bt.com a écrit :
>
>
>>I tried sending an "ACK" packet from behind my Netfilter firewall to a
>>machine on the public side that actually doesn't exist.
>>A look in the /proc/net/ip_conntrack tells me that Netfilter tracked this
>>connection as "ESTABLISHED" but "UNREPLIED". So Netfilter does infact allow
>>starting a TCP connection with an ACK packet.
>>
>>
>
>Yes it does, unless you apply tcp-nopickup patch that enforces NEW and
>RELATED TCP packets must be SYN ones, flaging others as INVALID.
>
>This behaviour allows one to handle connections for which firewall have
>not seen SYN packet, such as asymetrical routing, failover, reboot and
>stuff.
>
>
>
--
__ __ __ __
/_/ /_ \ _/ / / \ Institute for Agriculture
__ __/ / \ _/ / / / and Trade Policy
/ / / / / / / __/ 2105 First Ave S
/ / / / / / /_ / / Minneapolis MN 55404
\/ \__/ \__/ \/ http://www.iatp.org
I N F O R M A T I O N T E C H N O L O G Y
The best things in life are done by people with nowhere to turn.
-The Blind Assassin (Margaret Atwood)
next prev parent reply other threads:[~2003-04-10 17:53 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-04-09 16:04 new tcp connections, without SYN dhiraj.2.bhuyan
2003-04-10 8:48 ` Cedric Blancher
2003-04-10 17:53 ` Rahul Jadhav [this message]
2003-04-11 8:37 ` Cedric Blancher
-- strict thread matches above, loose matches on Subject: below --
2003-04-09 13:00 dhiraj.2.bhuyan
2003-04-09 13:06 ` Cedric Blancher
2003-04-09 14:58 ` Martijn Klingens
2003-04-09 14:00 ` Martin Josefsson
2003-04-09 11:16 Carlos Ble
2003-04-09 11:33 ` Cedric Blancher
2003-04-09 12:31 ` Martijn Klingens
2003-04-09 14:36 ` Cedric Blancher
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3E95AF83.5050508@iatp.org \
--to=rahul@iatp.org \
--cc=blancher@cartel-securite.fr \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.