[Gllug] Firewall Setup Script
Simon A. Boggis
simon at dcs.qmul.ac.uk
Thu Oct 2 01:23:45 UTC 2003
On Mon, 2003-09-29 at 23:01, David Pashley wrote:
> On Sep 29, 2003 at 22:48, Mick Farmer praised the llamas by saying:
[...]
> Wy use --syn everywhere. Given the fact that you accept established or
> related packets at the top, everything else is going to be new
> connections.
Actually this is quite common and useful, despite the useless
appearance.
When you say '-p tcp -m state --state NEW' you don't just match
start-of-connection (syn) packets as you might expect. If you set up a
rule like this and then try sending packets other than syn you'll find
that you can establish state with other types. This is a feature, not a
bug: it allows connections which have timed out of the state table but
haven't timed out from the IP point of view to resume, and it allows
connections to resume unbroken when switching to a backup router (which
hence has no state table entries for an ongoing tcp session).
Of course, it also allows someone to do stealth scanning through your
firewall, so in many cases you'll want to prevent this. For a client
machine, I would say most definitely.
The simplest way to acheive this, rather than specifying --syn with
every --state NEW for tcp is to do something like:
-A INPUT -p tcp ! --syn -m state --state NEW -j DROP
and possibly
-A FORWARD -p tcp ! --syn -m state --state NEW -j DROP
if you are a router
very early on in your rules.
Simon
--
----------------------------------------------------------------------
Dr Simon A. Boggis Systems Programmer
Department of Computer Science, Tel. 020 7882 7522
Queen Mary, University of London, London E1 4NS UK.
---- GPG public key <http://www.dcs.qmul.ac.uk/~simon/#publickey> ----
--
Gllug mailing list - Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug
More information about the GLLUG
mailing list