Re: Input rule to accept new SYN flag set packets

To: Mark-Walter@t-online.de, debian-firewall@lists.debian.org
Subject: Re: Input rule to accept new SYN flag set packets
From: Mike Mestnik <cheako911@yahoo.com>
Date: Mon, 8 Nov 2004 14:37:19 -0800 (PST)
Message-id: <20041108223719.42591.qmail@web11908.mail.yahoo.com>
In-reply-to: <20041108202618.GA17091@marschmellow.homeunix.net>

--- Mark-Walter@t-online.de wrote:

> Hello,
> 
> I've some questions concerning a new filter rule which has been
> discussed on debian-security but with differing statements so
> it was confusing to me.
> 
> So far some rules out of my netfilter configuration:
> 
> #
> # bad_tcp_packets chain
> #
> $IPTABLES -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK \
> -m state --state NEW -j REJECT --reject-with tcp-reset
What I don't get here is that "--state NEW" will ONLY match when "SYN" is
set, I.E. "--tcp-flags ALL SYN".  If this is wrong then why would you not
fix "-m state" by adding "NEW-SYN" to it's list of states?


> $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG
> \
> --log-prefix "New not syn:"
> $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
> 
If we get to these rules SYN and ACK must be set and the other flags are
not tested.  This would mean that this could be a connection accept
packet, but there is no reason not to treat it as a SYN.

Would you not be better of using the magle table to clip the ACK flag?

> #
> # allowed chain
> #
> $IPTABLES -A allowed -p TCP --syn -j ACCEPT
> 
What about ptks that don't have ACT set but are SYN,FIN or SYN,URG(Vary
dangerious)?

> #
> # Doesn't match any packets which have the SYN flag set.
> #
> $IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j
> ACCEPT
> $IPTABLES -A allowed -p TCP -j DROP
> 
Droping in your allowed rules?  Try return instead, then do this drop
outside this chain.  This is just difficult to follow.

> ***
> Hopefully ok. 
> 
> My question is now if this __NEW__ filter rule __below__ would 
> makes sense to avoid DOS or basically if it's requred in a 
> senseful way:
> 
> iptables -A INPUT -m state --state NEW -p tcp --tcp-flags ALL
>         SYN -j ACCEPT
> 
This lookes 100x cleaner and dose basicly the same thing.

> AFAIK it routes tcp net packet's to localhost in the case they're new
> while source and destination is anywhere which has a unknown
> new SYN Flag set besides the following: FIN,SYN,RST,PSH,ACK,URG/SYN
> as this is the difference within iptables -L.
> 
> Does this make sense to avoid anything which is depreciated ?
> 
> -- 
> Best Regards,
> 
> Mark
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
> 
> 



		
__________________________________ 
Do you Yahoo!? 
Check out the new Yahoo! Front Page. 
www.yahoo.com

Reply to:

Follow-Ups:
- Re: Input rule to accept new SYN flag set packets
  - From: omega_monk <omega_monk@yahoo.com>

References:
- Input rule to accept new SYN flag set packets
  - From: Mark-Walter@t-online.de

Prev by Date: Input rule to accept new SYN flag set packets
Next by Date: Request Complete
Previous by thread: Input rule to accept new SYN flag set packets
Next by thread: Re: Input rule to accept new SYN flag set packets
Index(es):
- Date
- Thread