Re: iptables 'syn but not new' packets

From: Leonardo Rodrigues (coelhoat_private)
Date: Thu Dec 13 2001 - 06:16:05 PST

Next message: Leonardo Rodrigues: "Re: iptables 'new but not syn' packets"

Previous message: Leonardo Rodrigues: "Re: iptables 'syn but not new' packets"
In reply to: Blue Boar: "Re: iptables 'syn but not new' packets"
Next in thread: Cedric Blancher: "Re: iptables 'syn but not new' packets"
Next in thread: Leonardo Rodrigues: "Re: iptables 'syn but not new' packets"
Reply: Cedric Blancher: "Re: iptables 'syn but not new' packets"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    You've got a nice point on that. Altough I've quickly analised and
seems things wont work the way you understood them.

    I understand 'restart the firewall' as a 'iptables -F; iptables -X;
iptables -Z' and not as a really machine reboot. In the case of a
machine reboot, it would be very difficult ( if not impossible )
guarantee that opened connections would remain opened. Who knows how
much time the machine will take to boot ????

    So ... in the case of a soft restart of the firewall ( clean and
reload iptables rules ) seems that established connections would remain
as established. Connections tracking is NOT done directly by iptables.
In fact it's done by ip_conntrack kernel module. I've done the following
tests:

    1) loaded ip_tables and ip_conntrack on a linux machine. NO iptables
rules were entered at all, everything was default ACCEPT. I watched
/proc/net/ip_conntrack and noticed that connections were there. I've
tried several 'iptables -F; iptables -X; iptables -Z' and noticed that
connection states were NOT cleaned up.

    2) I've unloaded all ip_table modules and let just ip_conntrack
loaded. The /proc/net/ip_conntrack file was correctly maintened.


    I've not REAL tested this, but with this simple tests, seems that a
soft restart of the firewall ( 1-2 seconds ) would NOT lost opened
connections, as states are NOT done by directly by ip_tables.

    What do you think on that ??

    Sincerily,
    Leonardo Rodrigues

----- Original Message -----
From: "Blue Boar" <BlueBoarat_private>
To: "Leonardo Rodrigues" <coelhoat_private>
Cc: <vuln-devat_private>
Sent: Tuesday, December 11, 2001 4:00 PM
Subject: Re: iptables 'syn but not new' packets


> Note: I haven't used ipfilter yet, so I'm speculating.  However, I
think
> I have a pretty good idea of what's going on.
>
> If you've got load-balancing firewalls (like in the example you gave),
or
> if you happen to reload iptables in the middle of the day... what
happens
> to your connections?  What if you were in the middle of downloading a
> 650MB ISO image?  If you restart the firewall, when it comes back
> with an empty table, no SYN packet would have been seen, and the
connection
> will be blocked.
>
> However, if you add a feature like the above, it can then add an entry
> to the table, and permit the rest of the connection.  The obvious
> question is: how does the firewall know that this is the continuation
> of a previous connection, or if it's an attacker trying to play games?
>

Next message: Leonardo Rodrigues: "Re: iptables 'new but not syn' packets"
Previous message: Leonardo Rodrigues: "Re: iptables 'syn but not new' packets"
In reply to: Blue Boar: "Re: iptables 'syn but not new' packets"
Next in thread: Cedric Blancher: "Re: iptables 'syn but not new' packets"
Next in thread: Leonardo Rodrigues: "Re: iptables 'syn but not new' packets"
Reply: Cedric Blancher: "Re: iptables 'syn but not new' packets"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Dec 13 2001 - 08:39:21 PST