Re: stateful firewall

To: Debian Firwall list <debian-firewall@lists.debian.org>
Subject: Re: stateful firewall
From: Lists <lists@toad.bitstreet.net>
Date: Thu, 22 Mar 2001 01:43:12 -0600
Message-id: <20010322014312.A4079@abilene.com>
In-reply-to: <20010321162700.A10310@cory-l.petersen-arne.com>; from coryp@petersen-arne.com on Wed, Mar 21, 2001 at 04:27:00PM -0800
References: <20010321162700.A10310@cory-l.petersen-arne.com>

* coryp@petersen-arne.com [2001.03.21 18:13]:
> Can anyone tell me either by opinion, or preferably by scientific
> fact, how much more secure the stateful netfilter in the 2.4 kernel
> is compared to the 2.2 series firewall?  Are they about the same, or
> are we talking an order of magnitude?
> 
> Note, I'm not talking about ipchains vs iptables; the interface to
> the firewall, rather I'm talking about netfilter as the kernel
> firewall versus whatever the 2.2 kernel filter was called.
> Statefulness vs statelessness.
> 
> When I specify, allow Established and Related connections in, is this
> secure? Is it possible for someone to highjack an established
> connection?  Even with spoofed packets?  What is a related
> connection?
> 
> Thanks!
> Cory
> 

I'm by no means an expert on this subject, so take this with a grain of
salt...actually, consider this bogus until someone with more experience
can comment on my comments.  All of the following comes from an evening
with ethereal and some RFCs.  *grim*

Your questions got me wondering about this and about exactly how TCP
works, so I went to RFC 793.  After reading through parts of it, I have
a little better understanding of TCP.  I would suggest reading as much
of it as you can stand.

My uneducated guess is that it would be possible to perform a
man-in-the-middle hijacking of a stream.  From my reading of RFC 793
(and very little of RFC 760), the keys are the IP ID (for decoding
packet fragmentation) and the TCP sequence numbers.  It seems like
someone could follow a connection from the beginning to know what to
expect next and hijack it.  Then again, there are about 3000 RFCs I
haven't read.  *grin*  I seem to remember IPv6 aiming to fix some of
this.

As far as spoofed packets go, I don't see how that would be a problem
for TCP.  You could spoof a connection (SYN packet) from an allowed
host, but without an ACK with the appropriate sequence numbers from
the *real* host that was spoofed, the connection would never be
"established".  Hmm...I guess you could go back to the man-in-the-middle
stuff to make this work (assuming that's possible).  UDP, on the other
hand, doesn't have states and doesn't require ACKs, so spoof attacks
would probably work.

Anyway, I've probably made some blatant errors in my thinking, so
please enlighten me...I'm even interested to know if I'm right.  *grin*
-- 
Cameron Moore

Reply to:

References:
- stateful firewall
  - From: Cory Petkovsek <coryp@petersen-arne.com>

Prev by Date: Re: stateful firewall
Next by Date: Routing problem...
Previous by thread: Re: stateful firewall
Next by thread: IP maquerading rules
Index(es):
- Date
- Thread