Re: Input rule to accept new SYN flag set packets
--- Mark-Walter@t-online.de wrote:
> Hello,
>
> I've some questions concerning a new filter rule which has been
> discussed on debian-security but with differing statements so
> it was confusing to me.
>
> So far some rules out of my netfilter configuration:
>
> #
> # bad_tcp_packets chain
> #
> $IPTABLES -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK \
> -m state --state NEW -j REJECT --reject-with tcp-reset
What I don't get here is that "--state NEW" will ONLY match when "SYN" is
set, I.E. "--tcp-flags ALL SYN". If this is wrong then why would you not
fix "-m state" by adding "NEW-SYN" to it's list of states?
> $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG
> \
> --log-prefix "New not syn:"
> $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
>
If we get to these rules SYN and ACK must be set and the other flags are
not tested. This would mean that this could be a connection accept
packet, but there is no reason not to treat it as a SYN.
Would you not be better of using the magle table to clip the ACK flag?
> #
> # allowed chain
> #
> $IPTABLES -A allowed -p TCP --syn -j ACCEPT
>
What about ptks that don't have ACT set but are SYN,FIN or SYN,URG(Vary
dangerious)?
> #
> # Doesn't match any packets which have the SYN flag set.
> #
> $IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j
> ACCEPT
> $IPTABLES -A allowed -p TCP -j DROP
>
Droping in your allowed rules? Try return instead, then do this drop
outside this chain. This is just difficult to follow.
> ***
> Hopefully ok.
>
> My question is now if this __NEW__ filter rule __below__ would
> makes sense to avoid DOS or basically if it's requred in a
> senseful way:
>
> iptables -A INPUT -m state --state NEW -p tcp --tcp-flags ALL
> SYN -j ACCEPT
>
This lookes 100x cleaner and dose basicly the same thing.
> AFAIK it routes tcp net packet's to localhost in the case they're new
> while source and destination is anywhere which has a unknown
> new SYN Flag set besides the following: FIN,SYN,RST,PSH,ACK,URG/SYN
> as this is the difference within iptables -L.
>
> Does this make sense to avoid anything which is depreciated ?
>
> --
> Best Regards,
>
> Mark
>
>
> --
> To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
>
>
__________________________________
Do you Yahoo!?
Check out the new Yahoo! Front Page.
www.yahoo.com
Reply to: