Trustworthiness of state table

Ray ray@ops.selu.edu
Wed, 13 Jun 2001 10:39:16 -0500 (CDT) 

On Tue, 12 Jun 2001, Ramin Alidousti wrote:

> This might help:
> 
> http://www.cs.princeton.edu/~jns/security/iptables/iptables_conntrack.html

Ramin,

Thanks for the link.  That is a pretty good article....  now i have
another question.  I initially setup my firewall as strictly packet
filtering, no state matching.  I wanted to exactly mimic what my previous
firewall was doing to minimize fallout after the conversion.  That meant
ugly rules like this for ftp, option 1:

## FTP outbound  --note  this sucks!!! use ftp state module for this!!!
iptables -A out-tcp -p tcp -i $IIF -o $OIF -s xxx.xxx.0.0/16 -d 0/0 \
--sport 1024:65535 --dport 21 -j ACCEPT
iptables -A in-tcp -p tcp -i $OIF -o $IIF  -s 0/0 -d xxx.xxx.0.0/16 \
--dport 1024:65535  --sport 21 ! --syn -j ACCEPT
iptables -A out-tcp -p tcp -i $IIF -o $OIF -s xxx.xxx.0.0/16 -d 0/0 \
--sport 1024:65535 --dport 20 ! --syn -j ACCEPT
iptables -A in-tcp -p tcp -i $OIF -o $IIF  -s 0/0 -d xxx.xxx.0.0/16 \
--dport 1024:65535  --sport 20  -j ACCEPT

Now i want to convert everything to state matching.  I've seen 2 ways to
do this.  A blanket allow at the beginning of the rules:

iptables -A FORWARD -p all -m state --state ESTABLISHED,RELATED -j ACCEPT    

2: Or option 2, Specific state rules for each rule:

iptables -A FORWARD -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT 
iptables -A FORWARD -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT 
iptables -A FORWARD -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT 


Here my question:
If i use the blanket rule to allow all ESTABLISHED,RELATED, then i only
need to allow the initial connection, and everything will work. Option 3:

iptables -A FORWARD -p all -m state --state ESTABLISHED,RELATED -j ACCEPT 
iptables -A out-tcp -p tcp -i $IIF -o $OIF -s xxx.xxx.0.0/16 -d 0/0 \
--sport 1024:65535 --dport 21 -j ACCEPT

This cuts my ruleset in half, at least, but i'm worried that the blanket
rule to ACCEPT any ESTABLISHED,RELATED may be less secure than the
specific state rules...  i can't think of how though.  As long as i
control which NEW sessions are established, is it safe to allow all
ESTABLISHED,RELATED?  Any obvious advantages/disadvantages to options 2
and 3 above?

-Ray
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Ray DeJean  				       	 http://www.r-a-y.org
Systems Administrator               Southeastern Louisiana University
IBM Certified Specialist  	      AIX Administration, AIX Support
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=