Re: Interesting article about punching holes in firewalls...

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Carl-Daniel Hailfinger wrote:
I personally have known that using "-m state --state
ESTABLISHED,RELATED" was not the most secure thing to use for returning
traffic.  Namely this will allow you to make a valid connection to a web
server, say to retrieve a picture.  Then said web server could send
malicious traffic back to your computer and pass through your firewall.
 This is because the traffic coming from the web server to your computer
is now deemed as RELATED.  Previously I have written this off as not

This is wrong on so many levels. Please reread the article. Then read
the source code of your favourite firewalling system. All of those
"attacks" require cooperation from your side. And if you (or someone
using the computer you try to protect) are actively cooperating with
the attacker, "fixing" the firewall should be the least important of
your problems.

I have read the article. I suspect that my uncertainty has to do with lack of how the SPI portion of the code works. I am not qualified to read the source code to make an informed opinion. I was (mis)believing that the SPI was very simple in the fact that it would classify any returning traffic coming back from a host as related. Now, I'm getting the impression that this is not the case and that only specific packets are considered related.

Can / will someone that is more versed in programming / reading source code please give me a brief overview of how the kernel decides what is and is not related.



Grant. . . .
_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux