Re: [PLUG] Blocked outgoing ports

Tobias DiPasquale on 12 Dec 2004 03:18:02 -0000

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Blocked outgoing ports

From: Tobias DiPasquale <toby@cbcg.net>

To: plug@lists.phillylinux.org

Subject: Re: [PLUG] Blocked outgoing ports

Date: Sat, 11 Dec 2004 22:17:22 -0500

Reply-to: plug@lists.phillylinux.org

Sender: plug-admin@lists.phillylinux.org

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

On Dec 11, 2004, at 4:01 PM, Martin DiViaio wrote:
Be carefull here, I've seen hack attempts that set the RELATED and/or ESTABLISHED bits on a packet to bypass a firewall. The only thing that saved me was the server that was being attacked had it's own firewall that had all of it's allowed traffic explicitly defined.
This is not possible. RELATED and ESTABLISHED are not "bits" that can be set by an external system. They refer to the internal state of the ip_conntrack record only. ESTABLISHED refers to a TCP connection that's completed the three-way synchronization handshake. RELATED refers to a connection that is logically related to one that is already established (e.g. the data transfer connection that is associated with an FTP command session).

These cannot be set by an attacked, but are gleaned by ip_conntrack as the traffic passes back and forth. A perusal of the state match module will show you that what you saw was not what you thought you saw. For reference, if your kernel sources are in /usr/src, then its in /usr/src/linux/net/ipv4/netfilter/ipt_state.c.

I think that iptables supports internal connection tracking which is an alternative to the --state check but is probably much more RAM intensive.
It does this through the use of ip_conntrack. Stateful firewalling is always more RAM intensive than not because storing state costs RAM while not storing it doesn't. The state match is matching the state of the ip_conntrack record, nothing else.

iptables itself is just a userspace wrapper and associated kernel hooks for a framework called netfilter. Netfilter is the packet filtering engine in Linux since the 2.4 series. ip_conntrack is a framework that is built on top of netfilter to provide stateful firewalling functionality. It is exposed to the user via a number of iptables modules, for example the state and connmark matches and the any of the NAT matches or targets. ip_conntrack was in fact created to clean up and streamline NAT for Linux and Linux NAT is now entirely based upon the netfilter/ip_conntrack framework.

- -- Tobias DiPasquale 7A79 308C 0354 EA9C 7807 ED83 03C9 9E01 148E 7D01 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (Darwin)

iD8DBQFBu7hIA8meARSOfQERAjd7AJ0VH2T+mjGsGjmwLhtAQgICst+LbwCgqjol wOKqgyUPrJU+lO/Q/8MWgAs= =J84y -----END PGP SIGNATURE-----

___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug

Follow-Ups:

Re: [PLUG] Blocked outgoing ports
From: Martin DiViaio <scatterbrained@usermail.com>

References:

Re: [PLUG] Blocked outgoing ports
From: Martin DiViaio <scatterbrained@usermail.com>

Prev by Date: Re: [PLUG] Re: what is the best way to bulk email 2 million opt inemail addresses?

Next by Date: Re: [PLUG] Blocked outgoing ports

Previous by thread: Re: [PLUG] Blocked outgoing ports

Next by thread: Re: [PLUG] Blocked outgoing ports

Index(es):

Date

Thread