AW: state NEW

Jochen Vogel jvogel at it-sec.de
Mon Nov 22 10:25:14 CET 2004 

in the past i thought the state NEW is the state of the connection viz only
SYN packets
and not if i write it to conntrack table.



> -----Ursprüngliche Nachricht-----
> Von: Jose Maria Lopez [mailto:jkerouac at bgsec.com] 
> Gesendet: Freitag, 19. November 2004 20:16
> An: netfilter at lists.netfilter.org
> Betreff: Re: state NEW
> 
> 
> El vie, 19 de 11 de 2004 a las 10:31, Jochen Vogel escribió:
> > hi,
> > 
> > i have the following forwarding rule
> > 
> > $IPT -A FORWARD -i $INT -o $EXT -m state --state 
> NEW,ESTABLISHED,RELATED -j
> > QUEUE
> 
> Here you are sending all this traffic to userspace, I suppose to
> snort-inline or similar program. You could use stateless rules because
> you are sending everything...
> 
> > $IPT -A FORWARD -i $EXT -o $INT -m state --state 
> ESTABLISHED,RELATED     -j
> > ACCEPT
> > 
> 
> And this rule does nothing, because all the traffic has been sent to
> userspace and then accepted or dropped, probably.
> 
> > if i send an ACK with hping from INT to EXT it reaches the 
> target system
> > 
> > if i do
> > 
> > $IPT -A FORWARD -i $INT -o $EXT -m state --state NEW -j ACCEPTLOG
> > $IPT -A FORWARD -i $EXT -o $INT -m state --state 
> ESTABLISHED,RELATED-j
> > ACCEPT
> 
> Here you are logging and accepting all the new connections 
> and accepting
> all the related conections.
> 
> > 
> > i can see the following
> > 
> > Nov 19 12:05:20 snolin kernel: ACPT IN=eth0 OUT=ppp0 
> SRC=1.1.1.1 DST=2.2.2.2
> > LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=12368 PROTO=TCP SPT=2618 DPT=63
> > WINDOW=512 RES=0x00 ACK URGP=0
> > 
> 
> So everything it's working as you have configured it.
> 
> > did i have a false understanding from NEW or whats wrong
> > 
> 
> I don't know what you want to do exactly.
> 
> > thx for help
> > jo
> 
> -- 
> Jose Maria Lopez Hernandez
> Director Tecnico de bgSEC
> jkerouac at bgsec.com
> bgSEC Seguridad y Consultoria de Sistemas Informaticos
> http://www.bgsec.com
> ESPAÑA
> 
> The only people for me are the mad ones -- the ones who are 
> mad to live,
> mad to talk, mad to be saved, desirous of everything at the same time,
> the ones who never yawn or say a commonplace thing, but burn, 
> burn, burn
> like fabulous yellow Roman candles.
>                 -- Jack Kerouac, "On the Road"
> 
>

More information about the netfilter mailing list