Re: icmp messages to spoofed address acceptedby -m conntrack --ctstate ESTABLISHED,RELATED

Re: icmp messages to spoofed address acceptedby -m conntrack --ctstate ESTABLISHED,RELATED

[Jim Laurino]

On 2004.03.18 17:35, Jim Laurino  - nfcan.x.jimlaur@dfgh. 
net wrote:
> I added a rule with this matching pattern to
> the iptables firewall on my machine.
> 
> -m conntrack --ctstate ESTABLISHED,RELATED
> 
> It is matching icmp packets about an
> unreachable destination that are sent here
> because someone is spoofing my IP address.
> 
> I do not see in /proc/net/ip_conntrack
> any entry that I think should match these packets.
> 
> I have come here to try to find out if this
> match is the expected behavior of this rule,
> or if this match is a misuse of the conntrack
> module by me, or if this is a bug in connection tracking.
> 
> Regards,
> 
> Jim Laurino
> 
> 

Re: icmp messages to spoofed address acceptedby -m conntrack --ctstate ESTABLISHED,RELATED

[Antony Stone]

On Friday 19 March 2004 8:41 pm, Jim Laurino wrote:

> On 2004.03.18 17:35, Jim Laurino  - nfcan.x.jimlaur@dfgh.net wrote:

> > I added a rule with this matching pattern to
> > the iptables firewall on my machine.
> >
> > -m conntrack --ctstate ESTABLISHED,RELATED
> >
> > It is matching icmp packets about an
> > unreachable destination that are sent here
> > because someone is spoofing my IP address.

On Thursday 18 March 2004 10:53 pm, Antony Stone wrote:

> I agree with this latter explanation.
>
> http://isc.incidents.org/port_details.html?port=1026
> http://www.mynetwatchman.com/kb/security/articles/popupspam
> http://www.lurhq.com/popup_spam.html

Regards,

Antony.

-- 
In Heaven, the police are British, the chefs are Italian, the beer is Belgian, 
the mechanics are German, the lovers are French, the entertainment is 
American, and everything is organised by the Swiss.

In Hell, the police are German, the chefs are British, the beer is American, 
the mechanics are French, the lovers are Swiss, the entertainment is Belgian, 
and everything is organised by the Italians.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: icmp messages to spoofed address acceptedby -m conntrack --ctstate ESTABLISHED,RELATED

[Jim Laurino]

Hi,

Well, yes, but my question is not whether
someone is spoofing my ip, but whether
the iptables connection tracking code
should match the icmp packet if there
was no packet sent out.

Will someone explain whether the
match is the expected behavior of this rule,
or if this match is a misuse of the conntrack
module by me.

Or is this possibly a bug in connection tracking?

What is this icmp packet related to?
What established connection does it match?
Could this rule match other protocols?
Could this be a risk?

If it is a bug,
or if no one knows,
I will report it.

I am grateful for the effort that the developers
have put into creating and maintaining iptables,
and I am simply trying to do my part to help
with the maintainence.

By the way, Antony, thanks for the jokes.
I have been trying to recall that last one
for years. It never gets old, only I do.

Jim Laurino