Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Leonardo Rodrigues (coelhopersogo.com.br)
Date: Thu Dec 13 2001 - 08:16:05 CST
You've got a nice point on that. Altough I've quickly analised and
seems things wont work the way you understood them.
I understand 'restart the firewall' as a 'iptables -F; iptables -X;
iptables -Z' and not as a really machine reboot. In the case of a
machine reboot, it would be very difficult ( if not impossible )
guarantee that opened connections would remain opened. Who knows how
much time the machine will take to boot ????
So ... in the case of a soft restart of the firewall ( clean and
reload iptables rules ) seems that established connections would remain
as established. Connections tracking is NOT done directly by iptables.
In fact it's done by ip_conntrack kernel module. I've done the following
1) loaded ip_tables and ip_conntrack on a linux machine. NO iptables
rules were entered at all, everything was default ACCEPT. I watched
/proc/net/ip_conntrack and noticed that connections were there. I've
tried several 'iptables -F; iptables -X; iptables -Z' and noticed that
connection states were NOT cleaned up.
2) I've unloaded all ip_table modules and let just ip_conntrack
loaded. The /proc/net/ip_conntrack file was correctly maintened.
I've not REAL tested this, but with this simple tests, seems that a
soft restart of the firewall ( 1-2 seconds ) would NOT lost opened
connections, as states are NOT done by directly by ip_tables.
What do you think on that ??
----- Original Message -----
From: "Blue Boar" <BlueBoarthievco.com>
To: "Leonardo Rodrigues" <coelhopersogo.com.br>
Sent: Tuesday, December 11, 2001 4:00 PM
Subject: Re: iptables 'syn but not new' packets
> Note: I haven't used ipfilter yet, so I'm speculating. However, I
> I have a pretty good idea of what's going on.
> If you've got load-balancing firewalls (like in the example you gave),
> if you happen to reload iptables in the middle of the day... what
> to your connections? What if you were in the middle of downloading a
> 650MB ISO image? If you restart the firewall, when it comes back
> with an empty table, no SYN packet would have been seen, and the
> will be blocked.
> However, if you add a feature like the above, it can then add an entry
> to the table, and permit the rest of the connection. The obvious
> question is: how does the firewall know that this is the continuation
> of a previous connection, or if it's an attacker trying to play games?