Vulnerability Development mailing list archives
Re: iptables 'syn but not new' packets
From: "Leonardo Rodrigues" <coelho () persogo com br>
Date: Thu, 13 Dec 2001 11:16:05 -0300
You've got a nice point on that. Altough I've quickly analised and seems things wont work the way you understood them. I understand 'restart the firewall' as a 'iptables -F; iptables -X; iptables -Z' and not as a really machine reboot. In the case of a machine reboot, it would be very difficult ( if not impossible ) guarantee that opened connections would remain opened. Who knows how much time the machine will take to boot ???? So ... in the case of a soft restart of the firewall ( clean and reload iptables rules ) seems that established connections would remain as established. Connections tracking is NOT done directly by iptables. In fact it's done by ip_conntrack kernel module. I've done the following tests: 1) loaded ip_tables and ip_conntrack on a linux machine. NO iptables rules were entered at all, everything was default ACCEPT. I watched /proc/net/ip_conntrack and noticed that connections were there. I've tried several 'iptables -F; iptables -X; iptables -Z' and noticed that connection states were NOT cleaned up. 2) I've unloaded all ip_table modules and let just ip_conntrack loaded. The /proc/net/ip_conntrack file was correctly maintened. I've not REAL tested this, but with this simple tests, seems that a soft restart of the firewall ( 1-2 seconds ) would NOT lost opened connections, as states are NOT done by directly by ip_tables. What do you think on that ?? Sincerily, Leonardo Rodrigues ----- Original Message ----- From: "Blue Boar" <BlueBoar () thievco com> To: "Leonardo Rodrigues" <coelho () persogo com br> Cc: <vuln-dev () securityfocus com> Sent: Tuesday, December 11, 2001 4:00 PM Subject: Re: iptables 'syn but not new' packets
Note: I haven't used ipfilter yet, so I'm speculating. However, I
think
I have a pretty good idea of what's going on. If you've got load-balancing firewalls (like in the example you gave),
or
if you happen to reload iptables in the middle of the day... what
happens
to your connections? What if you were in the middle of downloading a 650MB ISO image? If you restart the firewall, when it comes back with an empty table, no SYN packet would have been seen, and the
connection
will be blocked. However, if you add a feature like the above, it can then add an entry to the table, and permit the rest of the connection. The obvious question is: how does the firewall know that this is the continuation of a previous connection, or if it's an attacker trying to play games?
Current thread:
- iptables 'syn but not new' packets Leonardo Rodrigues (Dec 11)
- Re: iptables 'syn but not new' packets Blue Boar (Dec 11)
- Re: iptables 'syn but not new' packets Alex Butcher (vuln-dev) (Dec 12)
- Re: iptables 'syn but not new' packets Leonardo Rodrigues (Dec 13)
- Re: iptables 'syn but not new' packets Cedric Blancher (Dec 14)
- <Possible follow-ups>
- Re: iptables 'syn but not new' packets Leonardo Rodrigues (Dec 13)
- Re: iptables 'syn but not new' packets Blue Boar (Dec 11)