Tobias DiPasquale on 12 Dec 2004 03:18:02 -0000


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Blocked outgoing ports


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Dec 11, 2004, at 4:01 PM, Martin DiViaio wrote:
Be carefull here, I've seen hack attempts that set the RELATED and/or
ESTABLISHED bits on a packet to bypass a firewall. The only thing that
saved me was the server that was being attacked had it's own firewall that
had all of it's allowed traffic explicitly defined.

This is not possible. RELATED and ESTABLISHED are not "bits" that can be set by an external system. They refer to the internal state of the ip_conntrack record only. ESTABLISHED refers to a TCP connection that's completed the three-way synchronization handshake. RELATED refers to a connection that is logically related to one that is already established (e.g. the data transfer connection that is associated with an FTP command session).


These cannot be set by an attacked, but are gleaned by ip_conntrack as the traffic passes back and forth. A perusal of the state match module will show you that what you saw was not what you thought you saw. For reference, if your kernel sources are in /usr/src, then its in /usr/src/linux/net/ipv4/netfilter/ipt_state.c.

I think that iptables supports internal connection tracking which is an
alternative to the --state check but is probably much more RAM intensive.

It does this through the use of ip_conntrack. Stateful firewalling is always more RAM intensive than not because storing state costs RAM while not storing it doesn't. The state match is matching the state of the ip_conntrack record, nothing else.


iptables itself is just a userspace wrapper and associated kernel hooks for a framework called netfilter. Netfilter is the packet filtering engine in Linux since the 2.4 series. ip_conntrack is a framework that is built on top of netfilter to provide stateful firewalling functionality. It is exposed to the user via a number of iptables modules, for example the state and connmark matches and the any of the NAT matches or targets. ip_conntrack was in fact created to clean up and streamline NAT for Linux and Linux NAT is now entirely based upon the netfilter/ip_conntrack framework.

- --
Tobias DiPasquale
7A79 308C 0354 EA9C 7807  ED83 03C9 9E01 148E 7D01
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (Darwin)

iD8DBQFBu7hIA8meARSOfQERAjd7AJ0VH2T+mjGsGjmwLhtAQgICst+LbwCgqjol
wOKqgyUPrJU+lO/Q/8MWgAs=
=J84y
-----END PGP SIGNATURE-----

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug