Vulnerability Development mailing list archives

Re: iptables 'new but not syn' packets

From: "Leonardo Rodrigues" <coelho () persogo com br>
Date: Thu, 13 Dec 2001 11:20:42 -0300


    Problems with more than one iptables-router based are pretty
obvious. This 'new but not syn' feature was apparently built exactly for
these situations. Altough, I'm analising this in a specific situation:
only 1 iptables based router.

    Dropping INVALID packets seems to not deal with these packets. As I
stated, iptables recognizes them as NEW state. So a rule that drop
INVALID ones wouldnt care about them.

    Sincerily,
    Leonardo Rodrigues

----- Original Message -----
From: <sekure () gmx co uk>
To: "Leonardo Rodrigues" <coelho () persogo com br>
Sent: Tuesday, December 11, 2001 4:38 PM
Subject: Re: iptables 'syn but not new' packets

Although this should be safe for single machines, such a setting
may cause problems for LANs which have multiple routers connecting

them.


Suppose the SYN and the SYN/ACK travel through one router, but the

ACK,

or, perhaps some other packets travel through another router.
Packets seen by this second router are classified NEW or INVALID
by iptables.

Since dropping INVALID-classified packets appears to be a common

practice,

I may be overlooking something. Any ideeas?

Current thread:

Re: iptables 'new but not syn' packets Leonardo Rodrigues (Dec 13)
- Re: iptables 'new but not syn' packets Cedric Blancher (Dec 14)