technical tests on netfiler under 2.4.0-test2
Rusty Russell
rusty@linuxcare.com.au
Sun, 16 Jul 2000 01:02:21 +1000
In message <396DCA90.1DE8F1D9@magenta-logic.com> you write:
> Denis Ducamp wrote:
> >
> > that constant of 5 days, as other constants in ip_conntrack_proto_tcp.cj,
> > can't be dynamically changed via /proc/sys :-(
>
> 5 days???!!! bl$$dy h$ll!
Calm down, Tony. Only established TCP connections (modulo the recent
bug) take 5 days with no traffic.
> Rogue FTP server lures unuspecting luser, ftp server returns port
> 23 as the d ata port (or 137-139 etc.) FTP fails (of course)
> ip_contrack_ftp opens port 23 for *5 days* opening the firewall open
> to all sorts of attacks.
No. This has nothing to do with the above. Either it's Passive FTP
(the user connects to some other server's SMTP port), or it's Active
FTP (in which case the user specifies the port).
Yes, without additional filtering (see Harald's reply), the user can
deliberately open an arbitrary port on her machine to an outside ftp
server.
> IMHO these sorts of holes should be open for a maximum of a couple
> of minutes.
A couple of minutes would be an eternity.
Rusty.
--
Hacking time.