Re: tcp match silently drops packets

All of lore.kernel.org
 help / color / mirror / Atom feed

From: JC <bikkit@gmail.com>
To: Henrik Nordstrom <hno@marasystems.com>
Cc: Netfilter Developers <netfilter-devel@lists.netfilter.org>
Subject: Re: tcp match silently drops packets
Date: Mon, 17 Oct 2005 16:57:00 +0300	[thread overview]
Message-ID: <a60102c30510170657t7ecdaa9bk@mail.gmail.com> (raw)
In-Reply-To: <Pine.LNX.4.61.0510171549520.21372@filer.marasystems.com>

On 17/10/05, Henrik Nordstrom <hno@marasystems.com> wrote:
> On Mon, 17 Oct 2005, JC wrote:
>
> >> For the exact same reason the match also hotdrops fragments which would
> >> overwrite the TCP header.
> >>
> >> In theory just the second criteria is a must (drop fragments which could
> >> override an earlier decision), but as it's there the first also makes
> >> sense to drop the first as we can not allow a fragment filling in the
> >> missing pieces.
> >
> > Could someone please explain these two?
>
> An IP fragment with offset 1 can overwrite parts of the TCP header, and if
> this check is not there an attacker could bypass port matches in iptables
> by sending the packet in two fragments where the first fragment (which is
> used by the tcp match) has ports which is allowed by the ruleset and later
> the second fragment (which is ignored by the tcp match) overwrites the
> port numbers with ports which would not be allowed by the ruleset.

and that doesnt get picked up by conntrack as a different connection??

next prev parent reply	other threads:[~2005-10-17 13:57 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2005-10-10  3:01 tcp match silently drops packets Philip Craig
2005-10-16  7:51 ` Yasuyuki KOZAKAI
2005-10-16 17:35   ` Henrik Nordstrom
2005-10-16 21:07     ` Henrik Nordstrom
2005-10-16 21:50       ` Herbert Xu
2005-10-17 19:30         ` Henrik Nordstrom
2005-10-17 21:27           ` Herbert Xu
2005-10-17 21:52             ` Henrik Nordstrom
2005-10-17  0:21       ` Philip Craig
2005-10-17 13:35         ` Henrik Nordstrom
2005-10-17 13:47       ` JC
2005-10-17 13:52         ` Henrik Nordstrom
2005-10-17 13:57           ` JC [this message]
2005-10-17 13:59             ` Henrik Nordstrom
2005-10-17 14:03               ` JC
2005-10-17 14:01           ` Cedric Blancher
2005-10-18  2:11           ` Herbert Xu
2005-10-18  8:31             ` Henrik Nordstrom
2005-10-17  0:18     ` Philip Craig

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=a60102c30510170657t7ecdaa9bk@mail.gmail.com \
    --to=bikkit@gmail.com \
    --cc=hno@marasystems.com \
    --cc=netfilter-devel@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.