Re: Scanning with reverse connections?

To: debian-security@lists.debian.org
Subject: Re: Scanning with reverse connections?
From: Jones <jones_mb@yahoo.com>
Date: Sun, 8 Jun 2003 17:11:43 -0500
Message-id: <a05210605bb0963450850@[192.168.63.11]>
In-reply-to: <[🔎] 20030605204037.GN18297@unblinking-eye.lcs.mit.edu>
References: <[🔎] 3EDF9A06.10705@travellingkiwi.com> <[🔎] 20030605200253.GA19412@torf.workaround.org> <[🔎] 20030605204037.GN18297@unblinking-eye.lcs.mit.edu>

No, it's not at all uncommon to see incoming traffic from well known
ports.  It's an easy way to bypass weakly configured firewalls.


can this weakness be fixed by having these lines in the iptables rules?

----
EXTERNAL_IF="eth0"

# Log and drop incoming TCP connection establishment packets.
iptables -A INPUT -i $EXTERNAL_IF -p tcp --syn -j LOG --log-prefix "TCP-SYN: "
iptables -A INPUT -i $EXTERNAL_IF -p tcp --syn -j DROP

# Allow packets from already established connections (redundant?)

iptables -A INPUT -i $EXTERNAL_IF -m state --stateESTABLISHED,RELATED -j ACCEPT

----

jmb

Reply to:

Follow-Ups:
- Re: Scanning with reverse connections?
  - From: Phillip Hofmeister <plhofmei@zionlth.org>

References:
- Scanning with reverse connections?
  - From: Hamish Marson <hamish@travellingkiwi.com>
- Re: Scanning with reverse connections?
  - From: Christoph Haas <email@christoph-haas.de>
- Re: Scanning with reverse connections?
  - From: Noah Meyerhans <noahm@debian.org>

Prev by Date: Re: Default Apache install not fit for multiple domains/users
Next by Date: Re: Default Apache install not fit for multiple domains/users
Previous by thread: Re: Scanning with reverse connections?
Next by thread: Re: Scanning with reverse connections?
Index(es):
- Date
- Thread