RELATED connections and the feeling of security
blancher at cartel-securite.fr
Fri Apr 13 13:30:28 CEST 2007
Le vendredi 13 avril 2007 à 12:02 +0200, Hugo Mildenberger a écrit :
> "iptables -A INPUT -m state --state ESTABLISHED, RELATED - j ACCEPT"
> This means to allow inbound connections having nothing in common with the
> initiating outbound connection, except for the ip-address pair used by the
> initiating connection, leaving your nominal firewalled systems exposed to any
> malicious site you accidentally stumble on, whereas using "ESTABLISHED" alone
> here would restrict connections to be outbound only.
On what ground do you base this statement ? AFAIK, RELATED state applies
. expectations created by protocol helpers such as FTP or IRC,
that therefore have "something in common with the initiating
. ICMP errors that match an existing conntrack entry, that again
have a relation with previously allowed connections.
Behaviour you're referring to applies to the first category. As I have
not check the code recently, could you specificly point some modules
that create such unexpected and lax expectations ? Thoses would indeed
be a serious security issue to me.
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!
More information about the netfilter