[PATCH 4/4] drop ftp bounce attacks
Philip Craig
philipc at snapgear.com
Thu May 25 04:55:59 CEST 2006
On 05/25/2006 02:31 AM, Patrick McHardy wrote:
> The best solution would be to mark the packet INVALID and let the
> user decide using the state match.
Marking the packet INVALID is definitely better than always dropping
it.
The reason I said fixing the ftp server is the best solution is
that I'm not sure whether the ftp conntrack module can match on
all possible port commands, taking into account fragmentation,
reordering, and retransmits.
This is different from attacks against the firewall, in which the
attack works only if the firewall recognizes the port command and
creates an expectation.
More information about the netfilter-devel
mailing list