* syn-paket behind the firewall
@ 2005-09-20 21:18 Leopold Aichinger
0 siblings, 0 replies; only message in thread
From: Leopold Aichinger @ 2005-09-20 21:18 UTC (permalink / raw)
To: Netfilter Mailing Liste
Playing around with the new snort-machine I realised that a router
behind the firewall is sending 'icmp destination unreachable - host
unreachable' to a host on the internet:
IP (tos 0xc0, ttl 64, id 27629, offset 0, flags [none], proto 1, length:
88) 10.10.10.169 > 83.222.7.130:
icmp 68: host 192.168.160.246 unreachable
0x0000: 45c0 0058 6bed 0000 4001 9de5 0a0a 0aa9
0x0010: 53de 0782 0301 ba2c 0000 0000 4560 003c
0x0020: fe9a 4000 3206 8cc2 53de 0782 c0a8 a0f6
0x0030: 0014 1389 9b72 1732 0000 0000 a002 16d0
0x0040: 6a23 0000 0204 05b4 0402 080a 5a28 e9a8
0x0050: 0000 0000 0103 0302
This icmp-packet was generated in reaction to an tcp-packet coming from
host 83.222.7.130 with
only the syn-flag set.
On the firewall I found the following entry in the file
/proc/net/ip_conntrack:
tcp 6 429852 ESTABLISHED src=83.222.7.130 dst=195.xx.xx.xx sport=20 dport=5001
src=192.168.160.246 dst=83.222.7.130 sport=5001 dport=20 [ASSURED] use=1
Note: 195.xx.xx.xx is the Internet-Ipaddress of the firewall
This was all I found in the file /proc/net/ip_conntrack concerning host 83.222.7.130 and host 192.168.160.246
No second entry for this two host perhaps for port 21 or any other port.
The host 192.168.160.246 has apparently established a tcp-connection to the ftp-Server
83.222.7.130 and the client then disappeared without sending any fin or reset flag
(I am sure that I had no machine with Ip-Address 192.168.169.246 on the net, but
I still looking for an explanation for that!)
My Problem now:
Is it possible that syn-packets can pass the firewall coming from ftp-servers
by using ftp activ mode if connection-tracking is used by the firewall?
My firewall-rules for ftp:
<-- snipp -->
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
<--snipp -->
iptables -A FORWARD -i $INT_INTERF -o $EXT_INTERF -j client-chain-ext
<-- snipp -->
iptables -A client-chain-ext -p tcp -s $NETZ --sport $UNPRIVPORTS -d any/0 --dport 21 -m state --state NEW -j ACCEPT
I have no rule for port 20, the last rule is all I configured for ftp.
I fear that ip_conntrack_ftp perhaps opens activ-ftp transfers!
Has anybody seen something similar?
If activ-ftp is possible any idea how to block it?
THX for every answer and help!!
Leopold Aichinger
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2005-09-20 21:18 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-09-20 21:18 syn-paket behind the firewall Leopold Aichinger
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox