RE: basic understanding of iptables - some questions

[Eliezer Croitoru <eliezer@ngtech.co.il>]

Rob0 thanks for the notes.
First goes first... I have seen a version of ssh somewhere couple years ago
that used some kind of FTP over udp on port 22.
I do not remember the details but it was there and worked for good and bad.
Mosh works on other ports then 22 so this rules is not for mosh.
Probably the version I have seen was self compiled one which was never
released to the public or to anyone except a specific group of sys admins.

I believe that it shouldn't be allowed(22 udp) on systems since it's an open
port waiting for smugglers to smuggle things in and out of the network
pretending to be 22 by the naked admin eyes

And... it's not such a big issue to write an sftp service or an nrpe like
service that will utilize this port for smuggling things.
Leaving ssh the main subject aside, most of the Bittorent world is utilizing
UTP which is a protocol over udp which uses couple very nice FW holes or
piercing like the one that was mentioned.
The most used one is ESTABLISHED,RELATED which the bittorrent users use to
"open" a fake connection from the inside out and using aa coordinator both
peers are 'piercing' the FW each of them from his side.

I can demonstrate if required but I believe it's a known enough issue in
this area of the Internet so I wouldn't be needed to dirty my hands coding
such a thing.

Eliezer

* let me know if I missed something.

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: eliezer@ngtech.co.il


-----Original Message-----
From: netfilter-owner@vger.kernel.org
[mailto:netfilter-owner@vger.kernel.org] On Behalf Of /dev/rob0
Sent: Saturday, December 10, 2016 5:12 PM
To: netfilter@vger.kernel.org
Subject: Re: basic understanding of iptables - some questions

[ top-posting fixed ]
> Pascal Hambourg:
> Le 20/11/2016 à 21:45, Lentes, Bernd a écrit :
> >
> > Chain ufw-user-input (1 references)
> >  pkts bytes target     prot opt in     out     source
destination
> > 41587 1849K ACCEPT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0            tcp dpt:22
> >     0     0 ACCEPT     udp  --  *      *       0.0.0.0/0
0.0.0.0/0            udp dpt:22
> 
> Silly. SSH does not use UDP.

On Sat, Dec 10, 2016 at 10:43:47AM +0200, Eliezer Croitoru wrote:
> It's not silly that ssh uses UDP since there are implementations of 
> SSH which utilizes UDP....

This post made me curious.  Clearly in the case of the OP, Pascal is
correct; we can see the counters on the udp/22 rule above.

I did a bit of searching and the only "ssh using udp" implementation found
was Mosh, <https://mosh.org/>, but Mosh != ssh.

Of what ssh implementation do you speak?  More to the point of this thread,
is it using udp/22?  Is it available for GNU/Linux?
--
  http://rob0.nodns4.us/
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in the
body of a message to majordomo@vger.kernel.org More majordomo info at
http://vger.kernel.org/majordomo-info.html