Hi, I read Jan's "Towards the perfect ruleset" paper [1] [1] http://jengelh.medozas.de/documents/Perfect_Ruleset.pdf and I would have a question about the mentioned security risk when creating hole rulesets with the iptables command (chapter 3). I understand why it is a bad idea to create n rules by using multiple times iptables -A... (instead of iptables-restore) because it "downloads" the entire table n-times and sets the entire table n-times (performing n*2 operations) while passing n^2 rules between kernel and userspace. The second and more interesting point is that this would also introduce a timeframe where packets could slip through while these exchanges between kernel and userspace are happening. Why does setting the policy to DROP not solve this problem? I asume these commands are processed from top to bottom, I couldn't imagine of a opportunity when packets could slip through example (presuming an empty INPUT chain) 1: iptables -P INPUT DROP 2: iptables -A INPUT -s 10.0.0.0/8 -j DROP 3: iptables -A INPUT -p tcp --dport 22 --syn -j ACCEPT After (1) the chain would be empty after (2): Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 DROP all -- * * 10.0.0.0/8 0.0.0.0/0 (3): Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 DROP all -- * * 10.0.0.0/8 0.0.0.0/0 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 I'm not using iptables -A sequences in scripts anymore but would be curious about this security risk anyway. curious Christoph A.
Attachment:
signature.asc
Description: OpenPGP digital signature
