tcp match silently drops packets
JC
bikkit at gmail.com
Mon Oct 17 15:57:00 CEST 2005
On 17/10/05, Henrik Nordstrom <hno at marasystems.com> wrote:
> On Mon, 17 Oct 2005, JC wrote:
>
> >> For the exact same reason the match also hotdrops fragments which would
> >> overwrite the TCP header.
> >>
> >> In theory just the second criteria is a must (drop fragments which could
> >> override an earlier decision), but as it's there the first also makes
> >> sense to drop the first as we can not allow a fragment filling in the
> >> missing pieces.
> >
> > Could someone please explain these two?
>
> An IP fragment with offset 1 can overwrite parts of the TCP header, and if
> this check is not there an attacker could bypass port matches in iptables
> by sending the packet in two fragments where the first fragment (which is
> used by the tcp match) has ports which is allowed by the ruleset and later
> the second fragment (which is ignored by the tcp match) overwrites the
> port numbers with ports which would not be allowed by the ruleset.
and that doesnt get picked up by conntrack as a different connection??
More information about the netfilter-devel
mailing list