-----Original Message-----
From: Sneppe Filip [mailto:[EMAIL PROTECTED]]
Sent: 24. april 2002 16:44
To: Sigmund Vegheim; [EMAIL PROTECTED]
Subject: RE: Statefull inspectionSigmund,
It's not a security risk. It's just more flexible than any other
firewall product.
Nobody is preventing you from writing rules like this:
iptables -A FORWARD -m state --state NEW,ESTABLISHED -p tcp --dport 22 -j ACCEPT
iptables -A FORWARD -m state --state NEW,ESTABLISHED -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -m state --state NEW,ESTABLISHED -p tcp --dport 25 -j ACCEPT
etc.
Now if you were to remove the line where you allow ssh from your script
and run it again, you would still have active ssh connections tagged as
ESTABLISHED in /proc/net/ip_conntrack, yet you would block all ssh access.
Regards,
Filip
-----Original Message-----
From: Sigmund Vegheim [mailto:[EMAIL PROTECTED]]
Sent: Wed 24/04/2002 16:12
To: Sneppe Filip; [EMAIL PROTECTED]
Cc:
Subject: RE: Statefull inspection
But this is a security risk. The statefullness of the firewall isn't good
enough for business use, I would say.
Is this because of iptables or netfilter? This is a rather important issue
and the documentation on this is poor.
It seems that iptables way of implementing statefull inspection only is a
matter of speed?
-----Original Message-----
From: Sneppe Filip [mailto:[EMAIL PROTECTED]]
Sent: 24. april 2002 14:50
To: Sigmund Vegheim; [EMAIL PROTECTED]
Subject: RE: Statefull inspection
Sigmund,
Correct. Stuff doesn't just get dropped from the connection tracking,
not even after a script reloads the rules. So you have to be careful
with stuff that is still in /proc/net/ip_conntrack.
Regards,
Filip
-----Original Message-----
From: Sigmund Vegheim [ mailto:[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]> ]
Sent: Wed 24/04/2002 13:53
To: 'Lee Evans'; Netfilter (E-mail)
Cc:
Subject: RE: Statefull inspection
Right! Of, course. But this means that I cannot say that iptables walks
through the connection table and drops the already established connections
based on the new ruleset?
Sigmund
> -----Original Message-----
> From: Lee Evans [ mailto:[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> ]
> Sent: 24. april 2002 13:45
> To: Sigmund Vegheim; [EMAIL PROTECTED]
> Subject: RE: Statefull inspection
>
>
> It depends - If you have a rule in your firewall to allow ESTABLISHED
> connections through, and this comes *before* the rule to
> dissalow any and
> all ssh traffic, the exisiting connections will fall under
> the first rule
> and the connection will be allowed to continue.
>
> Regards
> Lee
> --
> Lee Evans
> http://www.leeevans.org <http://www.leeevans.org>
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [ mailto:[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]> ]On Behalf Of Sigmund Vegheim
> Sent: 24 April 2002 12:37
> To: [EMAIL PROTECTED]
> Subject: Statefull inspection
>
>
> Hello everyone!
>
> Does anybody know if it's right that iptables don't close
> down established
> ssh-connections through the firewall
> when you implement a rule to stop this ssh traffic, and
> restart iptables?
>
> Thanks in advance,
>
> ./Sigmund
>
>
>
Title: RE: Statefull inspection
Thanks
Filip for your balanced answer :-)
You
have taken my point about the statefullnes of iptables. I wan't to question how
usefull it is to have this
flexibility if your main concern is the net behind the firewall. How to
stop the longterm tcp/udp connections
you
DON'T really like in a matter of seconds. I think of this as a function of the
firewall. The possibility to drop
connections by commenting out what you think is wrong in the
ruleset.
./Sigmund
- Statefull inspection Sigmund Vegheim
- RE: Statefull inspection Sigmund Vegheim
- RE: Statefull inspection Sneppe Filip
- RE: Statefull inspection Sneppe Filip
- RE: Statefull inspection Sigmund Vegheim
- Re: Statefull inspection Ramin Alidousti
- RE: Statefull inspection Sigmund Vegheim
- RE: Statefull inspection Sneppe Filip
- RE: Statefull inspection Joe Patterson
- Sigmund Vegheim
