conn association query

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Brief summary
-------------
  I want to be certain that my firewall stops all communication on a conn and
  its related conns when that 'master' conn becomes prohibited or is
  disconnected.
  (1) Does netfilter (via conntracking and/or helpers) already ensure this?
  (2) If not, is there a given method in netfilter/iptables to do this?
  (3) Do I misunderstand some aspect of netfilter operations?
I can do it myself (I've pondered it sufficiently), but only if there's no 
other way.

Copious details
---------------
One premise of a firewall is to prevent unwanted conns. Duh; netfilter does 
this very well. Another premise (of abolute firewall control) is to disconnect 
unwanted existing conns. The problem I perceive is that there is no given way 
to associate a related conn to the rule that allowed it in the first place (1) 
once that related CONN becomes ESTABLISHED and (2)when neither port matches 
the rule. The problem becomes clear in the case of FTP when neither port of 
the data conn is port 20 (and the allowing rule specifies ports 20-21) and one 
uses the '-m time' facility to control when conns are allowed and prohibited.

Let me (try to) extract relevant rules from my F/W to illustrate. The rules 
should allow FTP from 2AM to 5AM on Mondays, and both reject new conns and 
shut down existing conns at all other times. The FTP helper module is loaded. 
The shutdown happens independently on each half (internal and external) of the 
conn only when the firewall receives the next packet on that half. In 
abbreviated iptables-save format:

-------------
*filter
# connmark 0x80/0x3c0 matches conns initiated from internal zones
#   to internet hosts; these marks are set in mangle. Conns from internet
#   to internal zones and conns between internal zones have different marks.
-A FORWARD -m connmark --mark 0x80/0x3c0 -j tofcScreen
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT 

# eth0 is the internal NIC
# eth3 is the internet NIC

# Handle incoming packets for outbound conns
-A tofcScreen -i eth3 -j tofcfwd2Int 
# Handle outgoing packets for outbound conns
-A tofcScreen -j tofcfwd2Ext

# Match outgoing packets for outbound conns
-A tofcfwd2Ext -i eth0 -p tcp -m multiport --dports 21 \
   -m time --timestart 02:00:00 --timestop 05:00:00 --weekdays Mon \
   -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A tofcfwd2Ext -j tofcblock 

# Match incoming packets for outbound conns
-A tofcfwd2Int -o eth0 -p tcp -m multiport --sports 21 \
   -m time --timestart 02:00:00 --timestop 05:00:00 --weekdays Mon \
   -m state --state RELATED,ESTABLISHED -j ACCEPT
-A tofcfwd2Int -j tofcblock 

# Log and reject undesired packets
-A tofcblock -j LOG --log-prefix "Denied-by-filter:tofcblock " 
# Shut down existing TCP conns.
# This works on each side of the conn independently.
-A tofcblock -p tcp -m state --state ESTABLISHED \
   -j REJECT --reject-with tcp-reset 
# Reject all other packets
-A tofcblock -j REJECT --reject-with icmp-admin-prohibited 
-------------

As I understand, RELATED refers only to the first packet of a conn related to 
an existing conn; and once a RELATED conn becomes ESTABLISHED, there is no way 
to match its packets to the original allowing rule. Have I overlooked anything 
in netfilter that would allow me to perform such matches? Does, perhaps, 
netfilter reset and/or prohibit existing conns when the 'master' conn closes 
(thus invalidating RELATED conns)?

A random neuron just fired. Are related conns transitioned to INVALID when 
their 'master' conns are disconnected or become invalidated?

Thanks,
Neal
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux