[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Firewall-troubleshooting

Daniel Pittman wrote:
> ...
>>Am i right in understanding that you consider accepting
>>RELATED/ESTABLISHED packets a bad thing?
> No.  Accepting *any* RELATED/ESTABLISHED packets is, though, if someone
> finds an attack to generate entries in the conntrack table.  Like, say,
> the active FTP NAT PORT bug from quite some time ago, which would allow
> remote attackers to do just that. :)
> Limiting the RELATED/ESTABLISHED packets to what you actually expect
> (part of an established connection to a service you actually use) is a
> more secure policy.

I mustn't be understanding you here.  Isn't the very definition of
RELATED/ESTABLISHED that the packet is part of an established connection
to a service actually used?

How would you expect a RELATED/ESTABLISHED rule to be used, and how does
this contrast with the way that shorewall or the OP's script works (i'm
not sure which one you're inferring is not using RELATED/ESTABLISHED in
the preferred way)?

Did you know?  If you use two dashes followed by a space as your
signature separator, good email programs will chop them off
automatically, reducing noise in email replies.

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: