TLUG Mailing List

Mailing List Archive
Support open source code!
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IPChains rules

To: <tlug@example.com>

Subject: Re: IPChains rules

From: "Stephen J. Turnbull" <turnbull@example.com>

Date: Mon, 5 Mar 2001 12:10:15 +0900

Content-Transfer-Encoding: 7bit

Content-Type: text/plain; charset=us-ascii

In-Reply-To: <Pine.LNX.4.30.0103031439560.8903-100000@example.com>

References: <15008.33424.983448.180679@example.com><Pine.LNX.4.30.0103031439560.8903-100000@example.com>

Reply-To: tlug@example.com

Resent-From: tlug@example.com

Resent-Message-ID: <s_QuxC.A.oZE.yTwo6@example.com>

Resent-Sender: tlug-request@example.com
>>>>> "Tobias" == Tobias Diedrich <ranma@example.com> writes:

    Tobias> Now I'm not sure what you mean with that ^^;;

ipchains -y flag IIRC.  Filter on SYN flag.

    Tobias> Works for ping, traceroute,

    >> Wrong.  Ping is ICMP, traceroute is UDP.  No state ... sorry.

    Tobias> Well it's true that these are "stateless" connections, but
    Tobias> the packet filter treats them as statefull connections
    Tobias> anyway, which is possible and works quite good.

Well, you should be more careful.  The connections aren't stateful,
the filter is.  That is useful, it is more efficient to open windows
for ports from the TCP/IP stack than to do it with user space
routines.  But they shouldn't have polluted the namespace by using
TCP/IP terminology for states which do not correspond accurately to
TCP states.

    Tobias> It will recognize the corresponding ICMP-ECHO-REPLY packet
    Tobias> from that host and set the state to ESTABLISHED and will
    Tobias> let this packet through (with my rules that is) and after
    Tobias> that the connection is finished. A second ICMP-ECHO-REPLY

This is very fragile.  It requires that a lot of information about the
various protocols and their common _incorrect_ usages be built into
the TCP/IP stack.  That's not a good idea (requires rebuilding the
kernel and reboot to change, I suppose?)  I guess if it's done as a
module it's not so bad, but it's not robust to specification error.

    Tobias> packet would not be let through because I have not sent a
    Tobias> ICMP-ECHO-REQUEST packet first.

Man-in-the-middle by definition means the attacker gets in first.
This is probably better than nothing (although it throws away the
potentially useful information that multiple packets came back), but
it doesn't create state (or a connection!) where there was none.

    Tobias> I'm pretty sure that traceroute is ICMP too btw.

On the LBL implementation, only if you use the -I flag.


-- 
University of Tsukuba                Tennodai 1-1-1 Tsukuba 305-8573 JAPAN
Institute of Policy and Planning Sciences       Tel/fax: +81 (298) 53-5091
_________________  _________________  _________________  _________________
What are those straight lines for?  "XEmacs rules."
References:

Re: IPChains rules
From: "Stephen J. Turnbull" <turnbull@example.com>

Re: IPChains rules
From: Tobias Diedrich <ranma@example.com>

Prev by Date: Re: linux only with linux?

Next by Date: Re: IPChains rules

Prev by thread: Re: IPChains rules

Next by thread: Re: IPChains rules

Index(es):

Date

Thread

Home | Main Index | Thread Index

Home Page Mailing List Linux and Japan TLUG Members Links