From: jonetsu <jonetsu@teksavvy.com>
To: netfilter@vger.kernel.org
Subject: Re: ICMP packets seeping through a DROP policy - security concern
Date: Tue, 6 Mar 2012 20:09:25 -0500 [thread overview]
Message-ID: <20120306200925.100b9dd4@mistral.stie> (raw)
In-Reply-To: <jj35fo$t1p$1@dough.gmane.org>
On Mon, 05 Mar 2012 19:51:17 +0000,
Kerin Millar <kerframil@gmail.com> wrote :
> In that case, it's the FORWARD chain that matters. The behaviour of
> kernel 3.0.0 seems correct;
Yes, but there are two different behaviours with the same rules. One
behaviour when no conntrack module is loaded that specifies this ICMP
timeout, and one behaviour when it is loaded.
Same test as before:
1) Fresh reboot, no nf modules loaded
# cat /proc/sys/net/ipv4/netfilter/ip_conntrack_icmp_timeout
No such file or directory
# lsmod
(no nf conntrack module loaded - no nf module for that matter)
-> ICMP pings stop immediately when the 3 rules are applied
-> nf conntrack modules are now loaded:
nf_conntrack_ipv4 9995 1
nf_defrag_ipv4 879 1 nf_conntrack_ipv4
xt_state 859 1
nf_conntrack 47425 2 nf_conntrack_ipv4,xt_state
2) Flush all rules, re-test, above modules already loaded
# cat /proc/sys/net/ipv4/netfilter/ip_conntrack_icmp_timeout
30
-> ICMP pings continues
As observed, the nf conntrack modules are loaded automatically. But
at least one value (in this case the ICMP conntrack timeout - maybe
there are others) is not taken into account when the rules are
established in this use case.
But, if the modules are previously loaded, then the values are taken
into account. There seems to be something not right with this.
Shouldn't any module parameter be taken into account when they are
automatically loaded ? Here we see that the ICMP param is not taken
into account in the first test - can there be any other parameters
like that ?
It can also question the automatic loading of modules. Either they
are automatically loaded and all params taken into account, or admins
have to know to load the required modules manually before installing
any rules on a freshly rebooted unit (either by script or by
explicitly loading the needed modules at boot).
Can you confirm that this behaviour is what is intended, or is a bug ?
And let me know if the tests are not right. It'd be appreciated.
As a side note, as shown previously, this observance of the ICMP
conntrack timeout was absent in kernel 2.6.26, module loaded or not,
so this aspect has changed. I agree that by principle, if a timeout
is specified, then it should be observed. Which is now the case in
the latest kernels ... that is, if the module is manually and
previously loaded before applying rules only.
Thanks for any comments/suggestions.
prev parent reply other threads:[~2012-03-07 1:09 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-03-04 22:25 ICMP packets seeping through a DROP policy - security concern jonetsu
2012-03-05 19:51 ` Kerin Millar
2012-03-07 1:09 ` jonetsu [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120306200925.100b9dd4@mistral.stie \
--to=jonetsu@teksavvy.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox