technical tests on netfiler under 2.4.0-test2
Thu, 13 Jul 2000 03:13:44 +0200
I tested netfilter under linux-2.4.0-test2 with iptables from the latest cvs
on last week-end.
I had both side of the test machine a linux system with hping to generate
paquets as I wanted, and filter on those two systems to generate no response
to thoses requests.
Here are some bugs that I think should be corrected :
. the conntrack don't follow corrrectly the 3 hand shack which is a
vulnerability : attacker send a SYN, victim reply by a SYN-ACK and the
connexion is in the table during 5 days !!!
Aparently, there is 2 states between NONE and ESTABLISHED (SYN_SENT and
SYN_RECV) but only one is used and I can't see how the tcp_conntracks
table in ip_conntrack_proto_tcp.c works.
. that constant of 5 days, as other constants in ip_conntrack_proto_tcp.cj,
can't be dynamically changed via /proc/sys :-(
. there isn't an option in iptables that permits to flush that table :-(
. iptables doesn't compile under libc5. Is some one is porting it or not ?
My firewall is a libc5 (slackware 4), I don't want to upgrade the system
but I want to use netfilter (as soon as linux-2.4.0 is stable).
. under glibc2.1.2 (x86) : I had to unapply last patches on
netfilter/userspace/libiptc/libiptc.c (diff -u -r1.17 -r1.18) and
netfilter/userspace/libiptc/libip4tc.c (diff -u -r1.3 -r1.4) to have
iptable to compile.
and put some undefined constant at struct ipt_reject_with in
. when everythink is compiled as modules, a "modprobe ip_conntrack_ftp"
loads ipfwadm.o which doesn't permit other modules to load. I had to
"manually" load another module before.
Even without verifying ack numbers (a lot of commercial products don't),
netfilter is a big step forward (once bug #1 will be corrected). Thanks to
all those who write and test it.
I will make other tests when 2.4.0 will be more stable
Denis.Ducamp@hsc.fr -- Hervé Schauer Consultants -- http://www.hsc.fr/