Michael Stone wrote:
I disagree. I think you're missing the point. Just imagine I have a firewall with a mailserver and a ssh server behind it.On Tue, Jul 05, 2005 at 11:57:37PM +1000, Daniel Pittman wrote:As to trusting the firewall, or not, there has been at least one bug where attackers could manipulate the content of the conntrack expect table remotely. Other bugs, local or remote, are not out of the question.No they're not. But if you cripple the firewall and rules to the extent you're doing you might as well just not use connection tracking. You've effectively turned the rules into stateless port filters anyway. Mike Stone
Let me use: iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPTiptables -A FORWARD -m state --state NEW -p tcp -d mailserver --dport 25 -j ACCEPT
iptables -A FORWARD -j DROP No one on the internet can reach the ssh server.Now we have a bug in the connection tracking module which permit an attacker to add expected tuples. Something like tcp 6 40000 ESTABLISHED src=attacker dst=sshserver sport=1025 dport=22 ...
You're exposed.But using iptables -A FORWARD -m state --state ESTABLISHED -p tcp -d mailserver --dport 25 -j ACCEPT you're fine.
And you're not using iptables as a stateless firewall, because you're not allowing spurious packets, but only ESTABLISHED or NEW.
Regards. Radel