Query: Stateful parameters Explicitly and Implicitly defined, which is it?

All of lore.kernel.org
 help / color / mirror / Atom feed

From: William Fitzgerald <wfitzgerald@tssg.org>
To: Mail List - Netfilter <netfilter@vger.kernel.org>
Subject: Query: Stateful parameters Explicitly and Implicitly defined, which is it?
Date: Tue, 20 Oct 2009 22:07:21 +0100	[thread overview]
Message-ID: <4ADE2689.4070707@tssg.org> (raw)

Dear experts,

If a rule has a state of NEW does it implicitly imply ESTABLISHED also?

Looking at examples on the web I see references to both.

For example to permit access to an internal Web server, which of the 
straw-man rules are correct?

Implicit Established Example:
iptables -a FORWARD -i eth0 --dport 80 -m state --state NEW -j ACCEPT

Explicit Established Example:
iptables -a FORWARD -i eth0 --dport 80 -m state --state NEW,ESTABLISHED 
-j ACCEPT

Similarly, I see reference to setting TCP flags as a control measure. 
Particularly for port scanning etc. However sticking with the  Web 
server example, an internal Web Server should expect a client to 
initiate a connection (SYN flag) but the server itself should not do this.

example strawman-rules of the stateless kind:
iptables -a FORWARD -i eth0 --dport 80 --tcp-flags SYN -j ACCEPT

iptables -a FORWARD -o eth1 --sport 80 --tcp-flags ACK -j ACCEPT

The thing is, what happens after the 3-way handshake? Incoming http 
requests will no longer have a SYN flag set! So is there some implicit 
knowledge that netfilter or other packet filters operate over?

regards,
Will.

next             reply	other threads:[~2009-10-20 21:07 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2009-10-20 21:07 William Fitzgerald [this message]
2009-10-21  7:21 ` Query: Stateful parameters Explicitly and Implicitly defined, which is it? John Lister
2009-10-21  7:59 ` Mart Frauenlob
2009-10-21  8:46   ` William Fitzgerald
2009-10-21  9:33     ` Mart Frauenlob
2009-10-21  9:46       ` William Fitzgerald
2009-10-21 10:08         ` Mart Frauenlob

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4ADE2689.4070707@tssg.org \
    --to=wfitzgerald@tssg.org \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.