OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Leonardo Rodrigues (coelhopersogo.com.br)
Date: Thu Dec 13 2001 - 08:16:05 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

        You've got a nice point on that. Altough I've quickly analised and
    seems things wont work the way you understood them.

        I understand 'restart the firewall' as a 'iptables -F; iptables -X;
    iptables -Z' and not as a really machine reboot. In the case of a
    machine reboot, it would be very difficult ( if not impossible )
    guarantee that opened connections would remain opened. Who knows how
    much time the machine will take to boot ????

        So ... in the case of a soft restart of the firewall ( clean and
    reload iptables rules ) seems that established connections would remain
    as established. Connections tracking is NOT done directly by iptables.
    In fact it's done by ip_conntrack kernel module. I've done the following
    tests:

        1) loaded ip_tables and ip_conntrack on a linux machine. NO iptables
    rules were entered at all, everything was default ACCEPT. I watched
    /proc/net/ip_conntrack and noticed that connections were there. I've
    tried several 'iptables -F; iptables -X; iptables -Z' and noticed that
    connection states were NOT cleaned up.

        2) I've unloaded all ip_table modules and let just ip_conntrack
    loaded. The /proc/net/ip_conntrack file was correctly maintened.

        I've not REAL tested this, but with this simple tests, seems that a
    soft restart of the firewall ( 1-2 seconds ) would NOT lost opened
    connections, as states are NOT done by directly by ip_tables.

        What do you think on that ??

        Sincerily,
        Leonardo Rodrigues

    ----- Original Message -----
    From: "Blue Boar" <BlueBoarthievco.com>
    To: "Leonardo Rodrigues" <coelhopersogo.com.br>
    Cc: <vuln-devsecurityfocus.com>
    Sent: Tuesday, December 11, 2001 4:00 PM
    Subject: Re: iptables 'syn but not new' packets

    > Note: I haven't used ipfilter yet, so I'm speculating. However, I
    think
    > I have a pretty good idea of what's going on.
    >
    > If you've got load-balancing firewalls (like in the example you gave),
    or
    > if you happen to reload iptables in the middle of the day... what
    happens
    > to your connections? What if you were in the middle of downloading a
    > 650MB ISO image? If you restart the firewall, when it comes back
    > with an empty table, no SYN packet would have been seen, and the
    connection
    > will be blocked.
    >
    > However, if you add a feature like the above, it can then add an entry
    > to the table, and permit the rest of the connection. The obvious
    > question is: how does the firewall know that this is the continuation
    > of a previous connection, or if it's an attacker trying to play games?
    >