TCP question

To: Debian Development <debian-firewall@lists.debian.org>
Subject: TCP question
From: Michael Meskes <meskes@debian.org>
Date: Mon, 13 Mar 2000 15:41:31 +0100
Message-id: <20000313154131.A425@fam-meskes.de>
Mail-followup-to: Debian Development <debian-firewall@lists.debian.org>

I'm currently working on the next version of the statefule packet filter
(spf) that I packaged for Debian. This program has an option
ALLOW_ESTABLISHED_TCP that is enabled by default and I wonder if this really
is a good idea.

What this option does is allow all packets that are part of an established
TCP connection. Or in other words the input chains has an ACCEPT rule that
lists neither source nor destinatioan address but only asks for the SYN bit
not set.

Without this option a reverse rule is created for each TCP connection as it
is for UDP or ICMP. That means if you access www.debian.org a rule allowing
packets coming back from www.debian.org to exactly the port you used for
your query is created.

Now the upstream author argues that packets coming back have to be part of
an established TCP connection so a rule allowing them in has been created
anyway. And packets not fitting this description will be filter out by the
TCP stack anyway. 

Now my gut feeling is that this works for normal connections but not
necessarily for attacks. Wasn't there an attack that send lots of ACK
packages?

Any comments?

Michael
-- 
Michael Meskes                         | Go SF 49ers!
Th.-Heuss-Str. 61, D-41812 Erkelenz    | Go Rhein Fire!
Tel.: (+49) 2431/72651                 | Use Debian GNU/Linux!
Email: Michael@Fam-Meskes.De           | Use PostgreSQL!

Reply to:

Follow-Ups:
- Re: TCP question
  - From: Tamas TEVESZ <ice@extreme.hu>

Prev by Date: Re: ftp proxy
Next by Date: Re: TCP question
Previous by thread: Re: ftp proxy
Next by thread: Re: TCP question
Index(es):
- Date
- Thread