[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Firewall-troubleshooting

Michael Stone wrote:

On Tue, Jul 05, 2005 at 11:57:37PM +1000, Daniel Pittman wrote:

As to trusting the firewall, or not, there has been at least one bug
where attackers could manipulate the content of the conntrack expect
table remotely.  Other bugs, local or remote, are not out of the

No they're not. But if you cripple the firewall and rules to the extent
you're doing you might as well just not use connection tracking. You've
effectively turned the rules into stateless port filters anyway.

Mike Stone

I disagree. I think you're missing the point. Just imagine I have a firewall with a mailserver and a ssh server behind it.
Let me use:

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state NEW -p tcp -d mailserver --dport 25 -j ACCEPT
iptables -A FORWARD -j DROP

No one on the internet can reach the ssh server.
Now we have a bug in the connection tracking module which permit an attacker to add expected tuples. Something like tcp 6 40000 ESTABLISHED src=attacker dst=sshserver sport=1025 dport=22 ...
You're exposed.
But using iptables -A FORWARD -m state --state ESTABLISHED -p tcp -d mailserver --dport 25 -j ACCEPT you're fine.

And you're not using iptables as a stateless firewall, because you're not allowing spurious packets, but only ESTABLISHED or NEW.


Reply to: