is there a way to discriminate the ESTABLISHED traffic?

is there a way to discriminate the ESTABLISHED traffic?

[Guido Lorenzutti]

How can i discriminate the traffic that my firewall is answering from a 
NEW request from a network from the ESTABLISHED traffic that my firewall 
is making from a NEW request from him?

In rules, to allow traffic TO my box from the lan 10.0.0.0/32

1 ipt -A INPUT -s 10.0.0.0/32 -m state --state NEW -j ACCEPT
2 ipt -A INPUT -s 10.0.0.0/32 -m state --state ESTABLISHED -j ACCEPT
3 ipt -A OUTPUT -d 10.0.0.0/32 -m state --state ESTABLISHED -j ACCEPT

Now, to allow traffic FROM my box to the lan 10.0.0.0/32

4 ipt -A OUTPUT -d 10.0.0.0/32 -m state --state NEW -j ACCEPT
5 ipt -A OUTPUT -d 10.0.0.0/32 -m state --state ESTABLISHED -j ACCEPT
6 ipt -A INPUT -s 10.0.0.0/32 -m state --state ESTABLISHED -j ACCEPT

The 3 and 5 rules are exactly the same. Is there a way to discriminate 
this or the things are just like this and there is nothing to do about it?

Tnxs in advance.

Re: is there a way to discriminate the ESTABLISHED traffic?

[Grant Taylor]

With out having a better explanation of what is going on (mach transcription) I'm going to stab in the dark here and think that you are looking for RELATED traffic as it is not established but it is not completely new either.



Grant. . . .

Guido Lorenzutti wrote:
> How can i discriminate the traffic that my firewall is answering from a 
> NEW request from a network from the ESTABLISHED traffic that my firewall 
> is making from a NEW request from him?
> 
> In rules, to allow traffic TO my box from the lan 10.0.0.0/32
> 
> 1 ipt -A INPUT -s 10.0.0.0/32 -m state --state NEW -j ACCEPT
> 2 ipt -A INPUT -s 10.0.0.0/32 -m state --state ESTABLISHED -j ACCEPT
> 3 ipt -A OUTPUT -d 10.0.0.0/32 -m state --state ESTABLISHED -j ACCEPT
> 
> Now, to allow traffic FROM my box to the lan 10.0.0.0/32
> 
> 4 ipt -A OUTPUT -d 10.0.0.0/32 -m state --state NEW -j ACCEPT
> 5 ipt -A OUTPUT -d 10.0.0.0/32 -m state --state ESTABLISHED -j ACCEPT
> 6 ipt -A INPUT -s 10.0.0.0/32 -m state --state ESTABLISHED -j ACCEPT
> 
> The 3 and 5 rules are exactly the same. Is there a way to discriminate 
> this or the things are just like this and there is nothing to do about it?
> 
> Tnxs in advance.
> 

Re: is there a way to discriminate the ESTABLISHED traffic?

[John A. Sullivan III]

On Sun, 2005-04-03 at 23:51 -0300, Guido Lorenzutti wrote:
> How can i discriminate the traffic that my firewall is answering from a 
> NEW request from a network from the ESTABLISHED traffic that my firewall 
> is making from a NEW request from him?
> 
> In rules, to allow traffic TO my box from the lan 10.0.0.0/32
> 
> 1 ipt -A INPUT -s 10.0.0.0/32 -m state --state NEW -j ACCEPT
> 2 ipt -A INPUT -s 10.0.0.0/32 -m state --state ESTABLISHED -j ACCEPT
> 3 ipt -A OUTPUT -d 10.0.0.0/32 -m state --state ESTABLISHED -j ACCEPT
> 
> Now, to allow traffic FROM my box to the lan 10.0.0.0/32
> 
> 4 ipt -A OUTPUT -d 10.0.0.0/32 -m state --state NEW -j ACCEPT
> 5 ipt -A OUTPUT -d 10.0.0.0/32 -m state --state ESTABLISHED -j ACCEPT
> 6 ipt -A INPUT -s 10.0.0.0/32 -m state --state ESTABLISHED -j ACCEPT
> 
> The 3 and 5 rules are exactly the same. Is there a way to discriminate 
> this or the things are just like this and there is nothing to do about it?
> 
> Tnxs in advance.

If I understand you correctly, you are asking if you can distinguish
established traffic patterns recorded in the conntrack table depending
on whether the firewall initiated the session or was responding to some
other device.  I believe that once the traffic flow is being managed by
connection tracking, the packets never traverse the filter table.  Thus,
you cannot them there.

I suppose one could see them in the raw table but even then, it would be
difficult to distinguish after the SYN, SYN/ACK, SYN/ACK sequence for
TCP and even more so for UDP.  Why do you want to distinguish them?
Perhaps there is another way to achieve your goal? - John
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@opensourcedevel.com

If you would like to participate in the development of an open source
enterprise class network security management system, please visit
http://iscs.sourceforge.net

Re: is there a way to discriminate the ESTABLISHED traffic?

[Georgi Alexandrov]

Guido Lorenzutti wrote:

> How can i discriminate the traffic that my firewall is answering from 
> a NEW request from a network from the ESTABLISHED traffic that my 
> firewall is making from a NEW request from him?
>
> In rules, to allow traffic TO my box from the lan 10.0.0.0/32
>
> 1 ipt -A INPUT -s 10.0.0.0/32 -m state --state NEW -j ACCEPT
> 2 ipt -A INPUT -s 10.0.0.0/32 -m state --state ESTABLISHED -j ACCEPT
> 3 ipt -A OUTPUT -d 10.0.0.0/32 -m state --state ESTABLISHED -j ACCEPT
>
> Now, to allow traffic FROM my box to the lan 10.0.0.0/32
>
> 4 ipt -A OUTPUT -d 10.0.0.0/32 -m state --state NEW -j ACCEPT
> 5 ipt -A OUTPUT -d 10.0.0.0/32 -m state --state ESTABLISHED -j ACCEPT
> 6 ipt -A INPUT -s 10.0.0.0/32 -m state --state ESTABLISHED -j ACCEPT
>
> The 3 and 5 rules are exactly the same. Is there a way to discriminate 
> this or the things are just like this and there is nothing to do about 
> it?
>
> Tnxs in advance.
>
>
btw 10.0.0.0/32 ?!

Re: is there a way to discriminate the ESTABLISHED traffic?

[Georgi Alexandrov]

Guido Lorenzutti wrote:

> Georgi Alexandrov wrote:
>
>> Guido Lorenzutti wrote:
>>
>>> How can i discriminate the traffic that my firewall is answering 
>>> from a NEW request from a network from the ESTABLISHED traffic that 
>>> my firewall is making from a NEW request from him?
>>>
>>> In rules, to allow traffic TO my box from the lan 10.0.0.0/32
>>>
>>> 1 ipt -A INPUT -s 10.0.0.0/32 -m state --state NEW -j ACCEPT
>>> 2 ipt -A INPUT -s 10.0.0.0/32 -m state --state ESTABLISHED -j ACCEPT
>>> 3 ipt -A OUTPUT -d 10.0.0.0/32 -m state --state ESTABLISHED -j ACCEPT
>>>
>>> Now, to allow traffic FROM my box to the lan 10.0.0.0/32
>>>
>>> 4 ipt -A OUTPUT -d 10.0.0.0/32 -m state --state NEW -j ACCEPT
>>> 5 ipt -A OUTPUT -d 10.0.0.0/32 -m state --state ESTABLISHED -j ACCEPT
>>> 6 ipt -A INPUT -s 10.0.0.0/32 -m state --state ESTABLISHED -j ACCEPT
>>>
>>> The 3 and 5 rules are exactly the same. Is there a way to 
>>> discriminate this or the things are just like this and there is 
>>> nothing to do about it?
>>>
>>> Tnxs in advance.
>>>
>>>
>> btw 10.0.0.0/32 ?!
>>
>>
>
> Yeah.. what? I make my 10.0.0.0 subnet a class C :) It's Ok to do 
> that, try it!! :P
>
You probably mean 10.0.0.0/24 then ?

regards,
Georgi Alexandrov

Re: is there a way to discriminate the ESTABLISHED traffic?

[Jozsef Kadlecsik]

On Mon, 4 Apr 2005, John A. Sullivan III wrote:

> other device.  I believe that once the traffic flow is being managed by
> connection tracking, the packets never traverse the filter table.  Thus,
> you cannot them there.

s/filter/nat/, but there is no NAT involved in the question.

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary