Martin DiViaio on 12 Dec 2004 04:59:02 -0000


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Blocked outgoing ports 


[...]


On the 11th day of December in the year 2004 you wrote:

> Date: Sat, 11 Dec 2004 22:17:22 -0500
> From: Tobias DiPasquale <toby@cbcg.net>
> To: plug@lists.phillylinux.org
> Subject: Re: [PLUG] Blocked outgoing ports
> 
> --[GPG Wrapper 0.1]--------------------------------------------[begin]--
> gpg: Signature made Sat 11 Dec 2004 10:17:28 PM EST using DSA key ID 148E7D01
> gpg: Can't check signature: public key not found
> -----------------------------------------------------------------[end]--
> On Dec 11, 2004, at 4:01 PM, Martin DiViaio wrote:
> > Be carefull here, I've seen hack attempts that set the RELATED and/or
> > ESTABLISHED bits on a packet to bypass a firewall. The only thing that
> > saved me was the server that was being attacked had it's own firewall
> > that
> > had all of it's allowed traffic explicitly defined.
> 
> This is not possible. RELATED and ESTABLISHED are not "bits" that can
> be set by an external system. They refer to the internal state of the
> ip_conntrack record only. ESTABLISHED refers to a TCP connection that's
> completed the three-way synchronization handshake. RELATED refers to a
> connection that is logically related to one that is already established
> (e.g. the data transfer connection that is associated with an FTP
> command session).
> 
> These cannot be set by an attacked, but are gleaned by ip_conntrack as
> the traffic passes back and forth. A perusal of the state match module
> will show you that what you saw was not what you thought you saw. For
> reference, if your kernel sources are in /usr/src, then its in
> /usr/src/linux/net/ipv4/netfilter/ipt_state.c.


Oops, sorry, I brain-farted into Cisco IOS' land. ESTABLISHED is a keyword 
for checking the RST and ACK bits on a packet in an extended access-list.



___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug