Hi,
I'm using netfilter/iptables on my Debian woody box (kernel 2.6.11-5), and when I want to audit the security of this box with nessus, it tells me : "It is possible to by-pass the rules of the remote firewall by sending UDP packets with a source port equal to 53.
An attacker may use this flaw to inject UDP packets to the remote hosts, in spite of the presence of a firewall.
Solution : Review your firewall rules policy Risk factor : High BID : 7436, 11237"
It's quite annoying !
here his the output of iptables-save : # Generated by iptables-save v1.2.6a on Wed Mar 30 16:12:56 2005 *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [37566:1649215] -A INPUT -i lo -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP -A INPUT -i eth0 -p icmp -m icmp ! --icmp-type 13 -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --dport 3000 -j ACCEPT -A INPUT -i eth0 -j REJECT --reject-with icmp-port-unreachable -A INPUT -i eth1 -j ACCEPT -A OUTPUT -o eth1 -j REJECT --reject-with icmp-net-prohibited COMMIT # Completed on Wed Mar 30 16:12:56 2005
NB: I have a web server on port 3000 since I'm using ntop to monitor the network with eth1
regards, grumpy
