I'm currently working on the next version of the statefule packet filter
(spf) that I packaged for Debian. This program has an option
ALLOW_ESTABLISHED_TCP that is enabled by default and I wonder if this really
is a good idea.
What this option does is allow all packets that are part of an established
TCP connection. Or in other words the input chains has an ACCEPT rule that
lists neither source nor destinatioan address but only asks for the SYN bit
Without this option a reverse rule is created for each TCP connection as it
is for UDP or ICMP. That means if you access www.debian.org a rule allowing
packets coming back from www.debian.org to exactly the port you used for
your query is created.
Now the upstream author argues that packets coming back have to be part of
an established TCP connection so a rule allowing them in has been created
anyway. And packets not fitting this description will be filter out by the
TCP stack anyway.
Now my gut feeling is that this works for normal connections but not
necessarily for attacks. Wasn't there an attack that send lots of ACK
Michael Meskes | Go SF 49ers!
Th.-Heuss-Str. 61, D-41812 Erkelenz | Go Rhein Fire!
Tel.: (+49) 2431/72651 | Use Debian GNU/Linux!
Email: Michael@Fam-Meskes.De | Use PostgreSQL!