From mboxrd@z Thu Jan 1 00:00:00 1970 From: Grant Taylor Date: Thu, 21 Dec 2006 15:37:24 +0000 Subject: Re: [LARTC] Interesting article about punching holes in firewalls... Message-Id: <458AAA34.6010201@riverviewtech.net> List-Id: References: <45860240.2040102@riverviewtech.net> In-Reply-To: <45860240.2040102@riverviewtech.net> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: lartc@vger.kernel.org Carl-Daniel Hailfinger wrote: >> I personally have known that using "-m state --state >> ESTABLISHED,RELATED" was not the most secure thing to use for returning >> traffic. Namely this will allow you to make a valid connection to a web >> server, say to retrieve a picture. Then said web server could send >> malicious traffic back to your computer and pass through your firewall. >> This is because the traffic coming from the web server to your computer >> is now deemed as RELATED. Previously I have written this off as not > > This is wrong on so many levels. Please reread the article. Then read > the source code of your favourite firewalling system. All of those > "attacks" require cooperation from your side. And if you (or someone > using the computer you try to protect) are actively cooperating with > the attacker, "fixing" the firewall should be the least important of > your problems. I have read the article. I suspect that my uncertainty has to do with lack of how the SPI portion of the code works. I am not qualified to read the source code to make an informed opinion. I was (mis)believing that the SPI was very simple in the fact that it would classify any returning traffic coming back from a host as related. Now, I'm getting the impression that this is not the case and that only specific packets are considered related. Can / will someone that is more versed in programming / reading source code please give me a brief overview of how the kernel decides what is and is not related. Grant. . . . _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc