Michael Stone wrote:
I disagree. I think you're missing the point. Just imagine I have a
firewall with a mailserver and a ssh server behind it.
On Tue, Jul 05, 2005 at 11:57:37PM +1000, Daniel Pittman wrote:
As to trusting the firewall, or not, there has been at least one bug
where attackers could manipulate the content of the conntrack expect
table remotely. Other bugs, local or remote, are not out of the
No they're not. But if you cripple the firewall and rules to the extent
you're doing you might as well just not use connection tracking. You've
effectively turned the rules into stateless port filters anyway.
Let me use:
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state NEW -p tcp -d mailserver --dport 25
iptables -A FORWARD -j DROP
No one on the internet can reach the ssh server.
Now we have a bug in the connection tracking module which permit an
attacker to add expected tuples. Something like tcp 6 40000 ESTABLISHED
src=attacker dst=sshserver sport=1025 dport=22 ...
But using iptables -A FORWARD -m state --state ESTABLISHED -p tcp -d
mailserver --dport 25 -j ACCEPT you're fine.
And you're not using iptables as a stateless firewall, because you're
not allowing spurious packets, but only ESTABLISHED or NEW.