On Wed, 26 Aug 2009, Pascal Hambourg wrote: > Jozsef Kadlecsik a ?crit : > > > > I usually say that conntrack is not a policy-decision machine and > > therefore should not drop packets. > > I strongly agree. > > > However, for the protocol helpers I strongly believe if the helper can't > > figure out the protocol elements due to any kind of parser error, then > > the packet should be dropped. Otherwise we may open up possible DoS attack > > vectors to sloppy server/client implementations. > > As a user, I do not expect packets to be dropped when I just enable > conntrack without loading any filtering rule. Wouldn't it be better (if > possible) to flag these packets so they can be dropped - or not - by > iptables ? There are a few cases when the conntrack core cannot but drop packets. But those are very exceptional indeed. But here we are discussing the protocol helpers: in order to reliably and safely handle the related connection - and prevent to be fooled by deliberately broken, mangled, etc patterns - the helpers too may have no choice but to drop the unparseable packet. And it's not up to the user to decide whether the packet should still be let through, because it could defeat the access control rules. For a good example just have a look at the article 'Breaking through a Firewall using a forged FTP command' in Phrack #63. Best regards, Jozsef - E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxx PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
