Vulnerability Development mailing list archives
Re: iptables 'syn but not new' packets
From: "Leonardo Rodrigues" <coelho () persogo com br>
Date: Thu, 13 Dec 2001 11:03:13 -0300
Supposing this 'four seconds' connectivity problem, leading to a
timeout. On your example, A host FINs the connections. Afther that,
connectivity is OK again.
I really dont see the problem here. As the connection was already
finished ( FIN ), it really seems unnecessary that firewall continues
accepting packets of that connection. In this situation ( timeout with
FIN ), connection would be really lost and should be redone.
What do you think on that ?
Sincerily,
Leonardo Rodrigues
----- Original Message -----
From: "Michal Zalewski" <lcamtuf () coredump cx>
To: "Leonardo Rodrigues" <coelho () persogo com br>
Sent: Tuesday, December 11, 2001 3:47 PM
Subject: Re: iptables 'syn but not new' packets
Imagine there is some kind of connectivity problem between your host,
A,
and a remote server B. Your firewall might receive ICMP host
unreachable
from a router, or A might simply FIN the connection due to a timeout.
At
this point, your firewall table does not contain this connection
anymore.
But after a while, everything is back to normal, and remote host still thinks it is connected to you (maybe it had different timeout
settings,
maybe some lost packets arrived to it in the meantime), while your firewall thinks it is not. Remote host sends a data packet (e.g. HTTP, FTP, IRC, SMTP server "idle disconnect" message), and here we go.
Current thread:
- iptables 'syn but not new' packets Leonardo Rodrigues (Dec 11)
- Re: iptables 'syn but not new' packets Blue Boar (Dec 11)
- Re: iptables 'syn but not new' packets Alex Butcher (vuln-dev) (Dec 12)
- Re: iptables 'syn but not new' packets Leonardo Rodrigues (Dec 13)
- Re: iptables 'syn but not new' packets Cedric Blancher (Dec 14)
- <Possible follow-ups>
- Re: iptables 'syn but not new' packets Leonardo Rodrigues (Dec 13)
- Re: iptables 'syn but not new' packets Blue Boar (Dec 11)