Am Mit, 2003-08-06 um 18.42 schrieb Michael K:
> Thank you.
>
> So iptables that uses connection-tracking is safe. And the old ipchains
> is not, including the old ipfwadm?
> Hurray for iptables :-)
Well, kind of. The old ipchains had a safe syn check.
Manpage extract:
-y, --syn Only match TCP packets with the SYN bit set and the
ACK and FIN bits cleared.
But when using iptables' connection tracking you are usually safe.
Cheers,
Ralf
>
> /Klintan
>
> > -----Original Message-----
> > From: netfilter-admin@xxxxxxxxxxxxxxxxxxx
> > [mailto:netfilter-admin@xxxxxxxxxxxxxxxxxxx] On Behalf Of
> > Ralf Spenneberg
> > Sent: Wednesday, August 06, 2003 2:43 PM
> > To: Michael K
> > Cc: Netfilter
> > Subject: Re: discard TCP SYN
> >
> >
> > Am Mit, 2003-08-06 um 13.32 schrieb Michael K:
> > > My firewall have default policy to drop (in, out & fwd)
> > > Some protocols are open for communications, such as tcp/80, ftp/21
> > > from the internet Then I use stateful inspection, accepting
> > > estabished,related. However, the nessus scanner is reporting this:
> > > -----
> > > The remote host does not discard TCP SYN packets which
> > > have the FIN flag set.
> > >
> > > Depending on the kind of firewall you are using, an
> > > attacker may use this flaw to bypass its rules.
> >
> > The better solution would be to only accept SYN Packets which
> > actually are SYN packets. iptables -A FORWARD -p tcp --syn -m
> > state --state NEW -s whatever -j ACCEPT
> >
> > But ....
> > This SYN/FIN stuff comes from an old packetfilter
> > implementation which implemented a very simple SYN test: Is
> > only the SYN-Bit set? Yes, then it is a SYN-packet! If you
> > relied on this test to implement the firewall-rules on this
> > non-stateful packetfilter, you would create two rules:
> >
> > Allow everything from the inside to the outside including
> > SYN. Allow everything from the outside to the inside but SYN.
> >
> > Now, TCP-connection could only be initiated (meaning a SYN could be
> > send) from the inside, right? No, you could send a SYN from
> > the outside, once you have figured out that you needed a
> > second flag set.
> > Well, I wonder what happens if you use SYN/FIN? The firewall
> > passes it and most (all?) operating systems ignore the FIN
> > and operate on the SYN. Connection Established!
> >
> > Remember this is only possible on non-stateful packetfilters
> > (read: These packetfilters do not use connection tracking)
> >
> > Once you use connection tracking that code decides in which
> > direction the connection is initiated. It is not just a
> > matter of the SYN-packet.
> >
> > Cheers,
> >
> > Ralf
> > --
> > Ralf Spenneberg
> > RHCE, RHCX
> >
> > Book: Intrusion Detection für Linux Server http://www.spenneberg.com
> > IPsec-Howto http://www.ipsec-howto.org
> > Honeynet Project Mirror:
> > http://honeynet.spenneberg.org
> >
> >
--
Ralf Spenneberg
RHCE, RHCX
Book: Intrusion Detection für Linux Server http://www.spenneberg.com
IPsec-Howto http://www.ipsec-howto.org
Honeynet Project Mirror: http://honeynet.spenneberg.org
