[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ssh connection survives reboot of stateful iptables router

also sprach Rene Mayrhofer <rene.mayrhofer@gibraltar.at> [2006.07.04.1013 +0200]:
> That must be connection pickup. At
> http://iptables-tutorial.frozentux.net/iptables-tutorial.html
> search for "pickup".

Excellent pointer, and yet another reason why we should really be
looking for alternatives to the Linux kernel.

  The default, without the tcp-window-tracking patch, is to have
  this behaviour, and is not changeable.

So what's the point of iptables and statefulness in the end? It
keeps track of connections and lets packets belonging to established
connections passed, but if there's an ACK packet that doesn't belong
anywhere, iptables is kind enough to invite it to the club?

So then, if I run e.g. cups on and used the firewall rules
to make sure that no external clients can connect to it (say,
because I was too lazy to modify cupsd.conf), an attacker just has
to send an ACK packet to the socket, iptables will throw open the
doors, and let the connection in?

Reminds me of Microsoft Bob, which would, after three invalid
password entries, ask you whether you wanted to change your

Or is there some actual benefit I am overseeing? The FAQ does say
it's "after a failover" only, but no mention over how long.

So, NetBSD... one step closer...

Please do not send copies of list mail to me; I read the list!
 .''`.     martin f. krafft <madduck@debian.org>
: :'  :    proud Debian developer and author: http://debiansystem.info
`. `'`
  `-  Debian - when you have better things to do than fixing a system
"i never travel without my diary. one should always have something
 sensational to read on the train."
                                                        -- oscar wilde

Attachment: signature.asc
Description: Digital signature (GPG/PGP)

Reply to: