Cedric Blancher wrote:
Le dimanche 17 décembre 2006 à 20:51 -0600, Grant Taylor a écrit :
I personally have known that using "-m state --state
ESTABLISHED,RELATED" was not the most secure thing to use for returning
traffic. Namely this will allow you to make a valid connection to a web
server, say to retrieve a picture. Then said web server could send
malicious traffic back to your computer and pass through your firewall.
This is because the traffic coming from the web server to your
computer is now deemed as RELATED.
How ? Afaik RELATED is used for two types of packets:
. ICMP errors matching previously seen IP flow
. First packet of expectations created through a helper
One can think about spoofed ICMP errors, but there really is not a lot
we can do about that. (And for tcp they SHOULD be ignored anyhow. OTOH
an atacker can spoof a RST packet.)
I do assume in all this that the only ICMP traffic matching RELATED are
true ICMP errors (afair host/net unreachable and fragmentation needed).
If this also opens up say ICMP redirect[1] we may have a slight problem.
It is possible netfilter does this to accomodate bridging setups. Anyone
can comment on this? If this opens up the connection for any other ICMP
traffic, I think that's a bug. But I cannot imagine netfilter does this,
anyone know for sure?
M4
[1] redirect in Linux is also sanity checked, so the risk is not even
that great, but still.
