* syn-paket behind the firewall
@ 2005-09-20 21:18 Leopold Aichinger
0 siblings, 0 replies; only message in thread
From: Leopold Aichinger @ 2005-09-20 21:18 UTC (permalink / raw)
To: Netfilter Mailing Liste
Playing around with the new snort-machine I realised that a router
behind the firewall is sending 'icmp destination unreachable - host
unreachable' to a host on the internet:
IP (tos 0xc0, ttl 64, id 27629, offset 0, flags [none], proto 1, length:
88) 10.10.10.169 > 83.222.7.130:
icmp 68: host 192.168.160.246 unreachable
0x0000: 45c0 0058 6bed 0000 4001 9de5 0a0a 0aa9
0x0010: 53de 0782 0301 ba2c 0000 0000 4560 003c
0x0020: fe9a 4000 3206 8cc2 53de 0782 c0a8 a0f6
0x0030: 0014 1389 9b72 1732 0000 0000 a002 16d0
0x0040: 6a23 0000 0204 05b4 0402 080a 5a28 e9a8
0x0050: 0000 0000 0103 0302
This icmp-packet was generated in reaction to an tcp-packet coming from
host 83.222.7.130 with
only the syn-flag set.
On the firewall I found the following entry in the file
/proc/net/ip_conntrack:
tcp 6 429852 ESTABLISHED src=83.222.7.130 dst=195.xx.xx.xx sport=20 dport=5001
src=192.168.160.246 dst=83.222.7.130 sport=5001 dport=20 [ASSURED] use=1
Note: 195.xx.xx.xx is the Internet-Ipaddress of the firewall
This was all I found in the file /proc/net/ip_conntrack concerning host 83.222.7.130 and host 192.168.160.246
No second entry for this two host perhaps for port 21 or any other port.
The host 192.168.160.246 has apparently established a tcp-connection to the ftp-Server
83.222.7.130 and the client then disappeared without sending any fin or reset flag
(I am sure that I had no machine with Ip-Address 192.168.169.246 on the net, but
I still looking for an explanation for that!)
My Problem now:
Is it possible that syn-packets can pass the firewall coming from ftp-servers
by using ftp activ mode if connection-tracking is used by the firewall?
My firewall-rules for ftp:
<-- snipp -->
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
<--snipp -->
iptables -A FORWARD -i $INT_INTERF -o $EXT_INTERF -j client-chain-ext
<-- snipp -->
iptables -A client-chain-ext -p tcp -s $NETZ --sport $UNPRIVPORTS -d any/0 --dport 21 -m state --state NEW -j ACCEPT
I have no rule for port 20, the last rule is all I configured for ftp.
I fear that ip_conntrack_ftp perhaps opens activ-ftp transfers!
Has anybody seen something similar?
If activ-ftp is possible any idea how to block it?
THX for every answer and help!!
Leopold Aichinger
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2005-09-20 21:18 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-09-20 21:18 syn-paket behind the firewall Leopold Aichinger
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.