Vulnerability Development mailing list archives
Re: iptables 'syn but not new' packets
From: Cedric Blancher <blancher () cartel-info fr>
Date: 14 Dec 2001 11:25:52 +0100
le jeu 13-12-2001 à 15:16, Leonardo Rodrigues a écrit :
I understand 'restart the firewall' as a 'iptables -F; iptables -X; iptables -Z' and not as a really machine reboot. In the case of a machine reboot, it would be very difficult ( if not impossible ) guarantee that opened connections would remain opened. Who knows how much time the machine will take to boot ????
Sure. You can imagine you have a spare firewall for failover using VRRP. Shut down the master, and slave will be acting, with a kind of reseted state.
I've not REAL tested this, but with this simple tests, seems that a soft restart of the firewall ( 1-2 seconds ) would NOT lost opened connections, as states are NOT done by directly by ip_tables. What do you think on that ??
iptables and Netfilter, although they are closely linked, are two seperate things. iptables is a userland tool that aims to configure Netfilter ip_table stuff. Netfilter also provides ip_conntrack, which acts separatly from ip_table. Even if you do not use --match state, having ip_conntrack loaded _will_ classify _all_ connections state. Doing "iptables -F; iptables -X; iptables -Z" will only act on ip_table, but not on ip_conntrack. Nowadays, I am not aware of a tool that can act on ip_conntrack tables (we can grab state table, but not yet act on). The be quick, iptables does not act on ip_conntrack stuff. -- Cédric Blancher Consultant sécurité systèmes et réseaux Cartel Informatique - Groupe CGBI - http://www.cartel-info.fr/ Tél : 01 44 06 97 87 - Fax 01 44 06 97 99
Current thread:
- iptables 'syn but not new' packets Leonardo Rodrigues (Dec 11)
- Re: iptables 'syn but not new' packets Blue Boar (Dec 11)
- Re: iptables 'syn but not new' packets Alex Butcher (vuln-dev) (Dec 12)
- Re: iptables 'syn but not new' packets Leonardo Rodrigues (Dec 13)
- Re: iptables 'syn but not new' packets Cedric Blancher (Dec 14)
- <Possible follow-ups>
- Re: iptables 'syn but not new' packets Leonardo Rodrigues (Dec 13)
- Re: iptables 'syn but not new' packets Blue Boar (Dec 11)