Le mercredi 30 mars 2005 à 16:45 +0200, grumpy a écrit : > I'm using netfilter/iptables on my Debian woody box (kernel 2.6.11-5), > and when I want to audit the security of this box with nessus, it tells me : > "It is possible to by-pass the rules of the remote firewall by sending > UDP packets with a source port equal to 53. > An attacker may use this flaw to inject UDP packets to the remote hosts, > in spite of the presence of a firewall. [...] > It's quite annoying ! Have you checked if this alert is true, and not some false positive ? I don't think so. I mean, if Nessus sends an UDP packet (any port), it will get an ICMP port unreachable. That's typically the normal behaviour of an unfiltered box. So Nessus thinks "OK, if there's a firewall between me and this box, then this packet went through". Speaking of your ruleset, what's the point of : > -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP Linux treats SYN/FIN packets as SYN ones, just as it should be on any RFC compliant stack. You ICMP rule is also quite bizarre. First, we can get your timestamp looking at your SYN/ACK TCP options when querying port 22 or 3000. Second, your rule implicitly accepts any ICMP paquets, even with INVALID state... Why not instead having something like this : -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 ICMP errors will be handled by RELATED state and ping will be accepted (info and netmask requests are not answered by Linux). -- http://sid.rstack.org/ PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE >> Hi! I'm your friendly neighbourhood signature virus. >> Copy me to your signature file and help me spread!
