Re: iptables: "stateful inspection?"

From: Michael H. Warfield (mhw@wittsend.com)
Date: Wed Dec 20 2000 - 12:13:51 EST

Next message: Andi Kleen: "Re: getsockopt() with IP_PKTINFO not working?"
Previous message: Michael H. Warfield: "Re: iptables: "stateful inspection?""
In reply to: David Lang: "Re: iptables: "stateful inspection?""
Next in thread: Michael Rothwell: "Re: iptables: "stateful inspection?""
Reply: Michael Rothwell: "Re: iptables: "stateful inspection?""
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Dec 20, 2000 at 08:51:34AM -0800, David Lang wrote:
> On Wed, 20 Dec 2000, Michael Rothwell wrote:

> > Date: Wed, 20 Dec 2000 11:30:15 -0500
> > From: Michael Rothwell <rothwell@holly-springs.nc.us>
> > To: Michael H. Warfield <mhw@wittsend.com>
> > Cc: linux-kernel@vger.kernel.org
> > Subject: Re: iptables: "stateful inspection?"

> > "Michael H. Warfield" wrote:
> > > I think that's more than a little overstatement on your
> > > part. It depends entirely on the application you intend to put
> > > it to.

> > Fine. How do I make FTP work through it? How can I allow all outgoing
> > TCP connections without opening the network to inbound connections on
> > the ports of desired services?
> >

> for the issue of outbound TCP connections you can set ipchains filters
> based on the Syn flag to prevent inbound connections.

> for FTP I don't know off the top of my head how to do it when not
> masquerading, when NAT is turned on load the FTP masq helper module and it
> will allow you to do ftp out with no problems.

You can use spf to add some stateful inspection for PORT mode
ftp. Personally, I like the masquerading option better, though.

> the real point that you need the stateful filtering is on UDP ports. for
> that again I don't know any way when not doing NAT, but when NAT is
> enabled it does do basic stateful filtering (but watch out for timeouts)

Stateful filter also helps block FIN scans and other stealth
scans, as well as some other esoteric attacks (fragmentation attacks,
Ping'O Death, etc...). There are other ways to deal with those attacks
as well, but stateful filtering helps. You also need it if you want to
take advantage of some ICMP as well.

Big thing for me about NetFilter over IPChains, in addition to
statefull inspection, is the fact that we finally have an IPv6 aware
firewall now. I've been chomping at the bit to get on IPv6 but
couldn't till I had working firewall code for that.

> David Lang

> > > Yes it does. It's clearly stated in all the documentation
> > > on netfilter and in it's design. Read the fine manual (or web site)
> > > and you would have uncovered this (or been run over by it) for yourself.
> > >
> > > http://netfilter.filewatcher.org/
> >
> > Thanks.
> >
> > -M

Mike

-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw@WittsEnd.com
  (The Mad Wizard)      |  (678) 463-0932   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/

Next message: Andi Kleen: "Re: getsockopt() with IP_PKTINFO not working?"
Previous message: Michael H. Warfield: "Re: iptables: "stateful inspection?""
In reply to: David Lang: "Re: iptables: "stateful inspection?""
Next in thread: Michael Rothwell: "Re: iptables: "stateful inspection?""
Reply: Michael Rothwell: "Re: iptables: "stateful inspection?""
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b29 : Sat Dec 23 2000 - 21:00:27 EST