You've got a nice point on that. Altough I've quickly analised and seems things wont work the way you understood them. I understand 'restart the firewall' as a 'iptables -F; iptables -X; iptables -Z' and not as a really machine reboot. In the case of a machine reboot, it would be very difficult ( if not impossible ) guarantee that opened connections would remain opened. Who knows how much time the machine will take to boot ???? So ... in the case of a soft restart of the firewall ( clean and reload iptables rules ) seems that established connections would remain as established. Connections tracking is NOT done directly by iptables. In fact it's done by ip_conntrack kernel module. I've done the following tests: 1) loaded ip_tables and ip_conntrack on a linux machine. NO iptables rules were entered at all, everything was default ACCEPT. I watched /proc/net/ip_conntrack and noticed that connections were there. I've tried several 'iptables -F; iptables -X; iptables -Z' and noticed that connection states were NOT cleaned up. 2) I've unloaded all ip_table modules and let just ip_conntrack loaded. The /proc/net/ip_conntrack file was correctly maintened. I've not REAL tested this, but with this simple tests, seems that a soft restart of the firewall ( 1-2 seconds ) would NOT lost opened connections, as states are NOT done by directly by ip_tables. What do you think on that ?? Sincerily, Leonardo Rodrigues ----- Original Message ----- From: "Blue Boar" <BlueBoarat_private> To: "Leonardo Rodrigues" <coelhoat_private> Cc: <vuln-devat_private> Sent: Tuesday, December 11, 2001 4:00 PM Subject: Re: iptables 'syn but not new' packets > Note: I haven't used ipfilter yet, so I'm speculating. However, I think > I have a pretty good idea of what's going on. > > If you've got load-balancing firewalls (like in the example you gave), or > if you happen to reload iptables in the middle of the day... what happens > to your connections? What if you were in the middle of downloading a > 650MB ISO image? If you restart the firewall, when it comes back > with an empty table, no SYN packet would have been seen, and the connection > will be blocked. > > However, if you add a feature like the above, it can then add an entry > to the table, and permit the rest of the connection. The obvious > question is: how does the firewall know that this is the continuation > of a previous connection, or if it's an attacker trying to play games? >
This archive was generated by hypermail 2b30 : Thu Dec 13 2001 - 08:39:21 PST