Re: Scanning with reverse connections?

To: Jones <jones_mb@yahoo.com>
Cc: debian-security@lists.debian.org
Subject: Re: Scanning with reverse connections?
From: Phillip Hofmeister <plhofmei@zionlth.org>
Date: Tue, 10 Jun 2003 00:16:55 -0400
Message-id: <[🔎] 20030610041655.GA10526@zionlth.org>
Mail-followup-to: Jones <jones_mb@yahoo.com>, debian-security@lists.debian.org
In-reply-to: <a05210600bb0ad5b7e20d@[192.168.63.11]>
References: <[🔎] 3EDF9A06.10705@travellingkiwi.com> <[🔎] 20030605200253.GA19412@torf.workaround.org> <[🔎] 20030605204037.GN18297@unblinking-eye.lcs.mit.edu> <a05210605bb0963450850@[192.168.63.11]> <[🔎] 20030609172704.GC4021@zionlth.org> <a05210600bb0ad5b7e20d@[192.168.63.11]>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mon, 09 Jun 2003 at 08:36:03PM -0500, Jones wrote:
> Phillip, I didn't post the entire file.

Sorry, that was so far up in the thread I lost track of it...

> The default policy on the INPUT chain is DROP.   I do allow incoming 

Good

> ssh & ftp from a couple of Linux servers that I manage.  All other 
> TCP traffic on the external interface is stopped by the "-p tcp --syn 
> -j DROP" rule.  I also have the rule "-t nat -A POSTROUTING -o 
> $EXTERNAL_IF -j MASQUERADE" coz this machine is a server for a couple 
> of machines connected to its local (non-internet) interface.

Much like my setup...

> 
> The rules also contain the usual stuff so the internal interfaces work i.e.
> iptables -A INPUT -i lo -j ACCEPT

Don't want to mess with the lo because then nasty things happen, good
move.

> From your response I assume that this setup would make the system 
> safe from unwanted/unexpected incoming traffic that originates from 
> well known ports.  What do these attacks do to fools firewalls 
> anyway?  Are there firewalls out there that let in traffic if it 
> appears to originate from a well known port.

I would stick with the -m state --state ESTABLISHED,RELATED rules and
get rid of the whole syn thing.  There are some attacks (such as XMas or
FIN Scans) that can take advantage of the fact you only trap SYN
packets.  A much better approach is either to match using:

- -m state --state NEW

OR

Simply let the packet fall through until it hits the default DROP.

I would show you my implementation but I tend not to pass my firewall
script around very often...

Let me know if you need more help.

- -- 
Phillip Hofmeister

PGP/GPG Key:
http://www.zionlth.org/~plhofmei/
wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import
- --
Excuse #9: Magnetic interference from money/credit cards 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE+5VuhS3Jybf3L5MQRAkStAJ9uxgrgCj6iP3l+493d5lo1cGUtoACgh9Qi
JoT2SmTfkKgrYeYbP+3Eq48=
=doq/
-----END PGP SIGNATURE-----

Reply to:

References:
- Scanning with reverse connections?
  - From: Hamish Marson <hamish@travellingkiwi.com>
- Re: Scanning with reverse connections?
  - From: Christoph Haas <email@christoph-haas.de>
- Re: Scanning with reverse connections?
  - From: Noah Meyerhans <noahm@debian.org>
- Re: Scanning with reverse connections?
  - From: Jones <jones_mb@yahoo.com>
- Re: Scanning with reverse connections?
  - From: Phillip Hofmeister <plhofmei@zionlth.org>
- Re: Scanning with reverse connections?
  - From: Jones <jones_mb@yahoo.com>

Prev by Date: Re: [DSA-311-1] New kernel packages - Bug not fixed!
Next by Date: IMAP is too secure...
Previous by thread: Re: Scanning with reverse connections?
Next by thread: Re: Scanning with reverse connections?
Index(es):
- Date
- Thread