On Sat, 19 Oct 2002, Florian Weimer wrote:
> "established" in Cisco parlance does not mean "SYN unset", but "ACK or RST
> set". This means that the impact for non-Linux hosts (which do not react
> to SYN-RST packets according to Paul's survey) is less severe if your
> filters run IOS.
This is true for IOS up through 11.3. The 12.0, 12.1, and 12.2
documentation claims:
established: (Optional) For the TCP protocol only: Indicates an
established connection. A match occurs if the TCP datagram
has the ACK, FIN, PSH, RST, SYN or URG control bits set.
The nonmatching case is that of the initial TCP datagram to
form a connection."
See:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_command_reference_chapter09186a00800873c8.html#xtocid2
If the documentation is correct, then you can fool IOS 12.0+ "permit tcp any
any established" at the top of an access list into letting you make
connections to any port on at least Linux 2.4.19, Solaris 5.8, FreeBSD 4.5,
and Windows NT 4.0, as reported by Paul Starzetz in the post starting this
thread.
Anyone want to test this?
> As a result of this bug, it's quite complicated (if not impossible in some
> configurations) to properly filter connection attempts to Linux hosts on
> Cisco IOS routers.
Thats not necessarily true. At least with current IOS (12.2, perhaps
earlier), you can specify "permit tcp any any ack" instead of "permit tcp
any any established" to work around this bug entirely and retain almost all
functionality.
All packets will be accepted that would have been by IOS < 12.0
"established", except those containing RST and not ACK. At least Linux only
generates these in response to an ACK, which would mean you might have to
time out the occasional connection instead of getting a "Connection reset by
peer".
So in leiu of any other fixes, I'd recommend replacing "established" with
"ack" in all access-lists if your IOS supports it.
-- Aaron
This archive was generated by hypermail 2b30 : Sat Oct 19 2002 - 13:38:33 PDT