netfilter bypassed by nessus using UDP packets with source port 53
grumpy
mathieu.delaplace at aquitaine.cci.fr
Wed Mar 30 16:45:12 CEST 2005
Hi,
I'm using netfilter/iptables on my Debian woody box (kernel 2.6.11-5),
and when I want to audit the security of this box with nessus, it tells me :
"It is possible to by-pass the rules of the remote firewall by sending
UDP packets with a source port equal to 53.
An attacker may use this flaw to inject UDP packets to the remote hosts,
in spite of the presence of a firewall.
Solution : Review your firewall rules policy
Risk factor : High
BID : 7436, 11237"
It's quite annoying !
here his the output of iptables-save :
# Generated by iptables-save v1.2.6a on Wed Mar 30 16:12:56 2005
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [37566:1649215]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A INPUT -i eth0 -p icmp -m icmp ! --icmp-type 13 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 3000 -j ACCEPT
-A INPUT -i eth0 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i eth1 -j ACCEPT
-A OUTPUT -o eth1 -j REJECT --reject-with icmp-net-prohibited
COMMIT
# Completed on Wed Mar 30 16:12:56 2005
NB: I have a web server on port 3000 since I'm using ntop to monitor the
network with eth1
regards,
grumpy
More information about the netfilter
mailing list