Re: RELATED connections and the feeling of security

[tom <tom@t0mb.net>]

Hugo Mildenberger wrote:
> Sifting through a workstation firewall log file some time ago, I stumbled on 
> an ip-address translating to a webserver of a well known German newspaper 
> (actually it was www.faz.net) which apparently had tried to intiate a 
> connection to port 80 of my workstation, which itself was sitting behind an 
> NATing router running an iptables based firewall on top of linux.
>
> But it  was not iptables, who prevented this form of professional curiosity, 
> it was the windows firewall running on the workstation itself, who stopped 
> and disclosed it.
>
> Looking at my iptables rule set, I asked myself, why all over the world nearby 
> everybody suggests inexperienced users to allow connections based 
> on "RELATED" state. You can find  literally thousands of such well-meant 
> hints: oh, you need a firewall setup, here it is:
>
> "iptables -A INPUT -m state --state ESTABLISHED, RELATED - j ACCEPT"
>   
Could it be related to the syntax error above hehe
> This means to allow inbound connections having nothing in common with the 
> initiating outbound connection, except for the ip-address pair used by the 
> initiating connection, leaving your nominal firewalled systems exposed to any 
> malicious site you accidentally stumble on, whereas using "ESTABLISHED" alone 
> here would restrict connections to be outbound only.
>
> Also the "Shorewall" firewall ruleset actually builds upon "RELATED" state, 
> and has dropped any provisions it made in earlier revisions to switch off 
> this feature at least optionally. 
>
> I felt alienated when I noticed a certain thread concerning that very same 
> issue on Tom Eastep's "Shorewall" site. A user (not me), who had complained 
> about this insecure prerequisite was informed by Mr. Eastep personally, that 
> he had the choice either to use Shorewall and accept those related inbound
> connections, or not to use shorewall at all.
>
> The balance is: What kind of security a SPI firewall product provides, when 
> each host you contact from inside is able to invade your private network 
> within a few milliseconds? Most users are not aware that following the simple 
> ruleset once proposed in a popular netfilter FAQ leads to a system showing 
> the behavior of a molten polarity protection diode: you would not notice it 
> just until the moment someone permutes the poles.
>
>
> Best Regards
>
> Hugo Mildenberger
>
>