Thank you. So iptables that uses connection-tracking is safe. And the old ipchains is not, including the old ipfwadm? Hurray for iptables :-) /Klintan > -----Original Message----- > From: netfilter-admin@xxxxxxxxxxxxxxxxxxx > [mailto:netfilter-admin@xxxxxxxxxxxxxxxxxxx] On Behalf Of > Ralf Spenneberg > Sent: Wednesday, August 06, 2003 2:43 PM > To: Michael K > Cc: Netfilter > Subject: Re: discard TCP SYN > > > Am Mit, 2003-08-06 um 13.32 schrieb Michael K: > > My firewall have default policy to drop (in, out & fwd) > > Some protocols are open for communications, such as tcp/80, ftp/21 > > from the internet Then I use stateful inspection, accepting > > estabished,related. However, the nessus scanner is reporting this: > > ----- > > The remote host does not discard TCP SYN packets which > > have the FIN flag set. > > > > Depending on the kind of firewall you are using, an > > attacker may use this flaw to bypass its rules. > > The better solution would be to only accept SYN Packets which > actually are SYN packets. iptables -A FORWARD -p tcp --syn -m > state --state NEW -s whatever -j ACCEPT > > But .... > This SYN/FIN stuff comes from an old packetfilter > implementation which implemented a very simple SYN test: Is > only the SYN-Bit set? Yes, then it is a SYN-packet! If you > relied on this test to implement the firewall-rules on this > non-stateful packetfilter, you would create two rules: > > Allow everything from the inside to the outside including > SYN. Allow everything from the outside to the inside but SYN. > > Now, TCP-connection could only be initiated (meaning a SYN could be > send) from the inside, right? No, you could send a SYN from > the outside, once you have figured out that you needed a > second flag set. > Well, I wonder what happens if you use SYN/FIN? The firewall > passes it and most (all?) operating systems ignore the FIN > and operate on the SYN. Connection Established! > > Remember this is only possible on non-stateful packetfilters > (read: These packetfilters do not use connection tracking) > > Once you use connection tracking that code decides in which > direction the connection is initiated. It is not just a > matter of the SYN-packet. > > Cheers, > > Ralf > -- > Ralf Spenneberg > RHCE, RHCX > > Book: Intrusion Detection für Linux Server http://www.spenneberg.com > IPsec-Howto http://www.ipsec-howto.org > Honeynet Project Mirror: > http://honeynet.spenneberg.org > >
