iptables -A FORWARD -m state --state ESTABLISHED -p tcp --sport 80 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED -p tcp --sport 25 -j ACCEPT
or it most likely won't work too well.
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Sneppe Filip
Sent: Wednesday, April 24, 2002 10:44 AM
To: Sigmund Vegheim; [EMAIL PROTECTED]
Subject: RE: Statefull inspectionSigmund,
It's not a security risk. It's just more flexible than any other
firewall product.
Nobody is preventing you from writing rules like this:
iptables -A FORWARD -m state --state NEW,ESTABLISHED -p tcp --dport 22 -j ACCEPT
iptables -A FORWARD -m state --state NEW,ESTABLISHED -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -m state --state NEW,ESTABLISHED -p tcp --dport 25 -j ACCEPT
etc.
Now if you were to remove the line where you allow ssh from your script
and run it again, you would still have active ssh connections tagged as
ESTABLISHED in /proc/net/ip_conntrack, yet you would block all ssh access.
Regards,
Filip
-----Original Message-----
From: Sigmund Vegheim [mailto:[EMAIL PROTECTED]]
Sent: Wed 24/04/2002 16:12
To: Sneppe Filip; [EMAIL PROTECTED]
Cc:
Subject: RE: Statefull inspection
But this is a security risk. The statefullness of the firewall isn't good
enough for business use, I would say.
Is this because of iptables or netfilter? This is a rather important issue
and the documentation on this is poor.
It seems that iptables way of implementing statefull inspection only is a
matter of speed?
-----Original Message-----
From: Sneppe Filip [mailto:[EMAIL PROTECTED]]
Sent: 24. april 2002 14:50
To: Sigmund Vegheim; [EMAIL PROTECTED]
Subject: RE: Statefull inspection
Sigmund,
Correct. Stuff doesn't just get dropped from the connection tracking,
not even after a script reloads the rules. So you have to be careful
with stuff that is still in /proc/net/ip_conntrack.
Regards,
Filip
-----Original Message-----
From: Sigmund Vegheim [ mailto:[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]> ]
Sent: Wed 24/04/2002 13:53
To: 'Lee Evans'; Netfilter (E-mail)
Cc:
Subject: RE: Statefull inspection
Right! Of, course. But this means that I cannot say that iptables walks
through the connection table and drops the already established connections
based on the new ruleset?
Sigmund
> -----Original Message-----
> From: Lee Evans [ mailto:[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> ]
> Sent: 24. april 2002 13:45
> To: Sigmund Vegheim; [EMAIL PROTECTED]
> Subject: RE: Statefull inspection
>
>
> It depends - If you have a rule in your firewall to allow ESTABLISHED
> connections through, and this comes *before* the rule to
> dissalow any and
> all ssh traffic, the exisiting connections will fall under
> the first rule
> and the connection will be allowed to continue.
>
> Regards
> Lee
> --
> Lee Evans
> http://www.leeevans.org <http://www.leeevans.org>
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [ mailto:[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]> ]On Behalf Of Sigmund Vegheim
> Sent: 24 April 2002 12:37
> To: [EMAIL PROTECTED]
> Subject: Statefull inspection
>
>
> Hello everyone!
>
> Does anybody know if it's right that iptables don't close
> down established
> ssh-connections through the firewall
> when you implement a rule to stop this ssh traffic, and
> restart iptables?
>
> Thanks in advance,
>
> ./Sigmund
>
>
>
