RELATED connections and the feeling of security

Cedric Blancher blancher at cartel-securite.fr
Fri Apr 13 13:30:28 CEST 2007


Le vendredi 13 avril 2007 à 12:02 +0200, Hugo Mildenberger a écrit :
> "iptables -A INPUT -m state --state ESTABLISHED, RELATED - j ACCEPT"
> This means to allow inbound connections having nothing in common with the 
> initiating outbound connection, except for the ip-address pair used by the 
> initiating connection, leaving your nominal firewalled systems exposed to any 
> malicious site you accidentally stumble on, whereas using "ESTABLISHED" alone 
> here would restrict connections to be outbound only.

On what ground do you base this statement ? AFAIK, RELATED state applies
to:

	. expectations created by protocol helpers such as FTP or IRC,
	  that therefore have "something in common with the initiating
	  outbound connection";
	. ICMP errors that match an existing conntrack entry, that again
	  have a relation with previously allowed connections.

Behaviour you're referring to applies to the first category. As I have
not check the code recently, could you specificly point some modules
that create such unexpected and lax expectations ? Thoses would indeed
be a serious security issue to me.


-- 
http://sid.rstack.org/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!



More information about the netfilter mailing list