Vulnerability Development mailing list archives

Re: iptables 'syn but not new' packets

From: "Leonardo Rodrigues" <coelho () persogo com br>
Date: Thu, 13 Dec 2001 11:16:05 -0300


    You've got a nice point on that. Altough I've quickly analised and
seems things wont work the way you understood them.

    I understand 'restart the firewall' as a 'iptables -F; iptables -X;
iptables -Z' and not as a really machine reboot. In the case of a
machine reboot, it would be very difficult ( if not impossible )
guarantee that opened connections would remain opened. Who knows how
much time the machine will take to boot ????

    So ... in the case of a soft restart of the firewall ( clean and
reload iptables rules ) seems that established connections would remain
as established. Connections tracking is NOT done directly by iptables.
In fact it's done by ip_conntrack kernel module. I've done the following
tests:

    1) loaded ip_tables and ip_conntrack on a linux machine. NO iptables
rules were entered at all, everything was default ACCEPT. I watched
/proc/net/ip_conntrack and noticed that connections were there. I've
tried several 'iptables -F; iptables -X; iptables -Z' and noticed that
connection states were NOT cleaned up.

    2) I've unloaded all ip_table modules and let just ip_conntrack
loaded. The /proc/net/ip_conntrack file was correctly maintened.


    I've not REAL tested this, but with this simple tests, seems that a
soft restart of the firewall ( 1-2 seconds ) would NOT lost opened
connections, as states are NOT done by directly by ip_tables.

    What do you think on that ??

    Sincerily,
    Leonardo Rodrigues

----- Original Message -----
From: "Blue Boar" <BlueBoar () thievco com>
To: "Leonardo Rodrigues" <coelho () persogo com br>
Cc: <vuln-dev () securityfocus com>
Sent: Tuesday, December 11, 2001 4:00 PM
Subject: Re: iptables 'syn but not new' packets

Note: I haven't used ipfilter yet, so I'm speculating.  However, I

think

I have a pretty good idea of what's going on.

If you've got load-balancing firewalls (like in the example you gave),

or

if you happen to reload iptables in the middle of the day... what

happens

to your connections?  What if you were in the middle of downloading a
650MB ISO image?  If you restart the firewall, when it comes back
with an empty table, no SYN packet would have been seen, and the

connection

will be blocked.

However, if you add a feature like the above, it can then add an entry
to the table, and permit the rest of the connection.  The obvious
question is: how does the firewall know that this is the continuation
of a previous connection, or if it's an attacker trying to play games?

Current thread:

iptables 'syn but not new' packets Leonardo Rodrigues (Dec 11)
- Re: iptables 'syn but not new' packets Blue Boar (Dec 11)
  - Re: iptables 'syn but not new' packets Alex Butcher (vuln-dev) (Dec 12)
  - Re: iptables 'syn but not new' packets Leonardo Rodrigues (Dec 13)
    - Re: iptables 'syn but not new' packets Cedric Blancher (Dec 14)
- <Possible follow-ups>
- Re: iptables 'syn but not new' packets Leonardo Rodrigues (Dec 13)