[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [linux-team] firewal stateful ?



Packet state filtering

   Packet state filtering can be used for any TCP flow to short-cut later
   filtering. The "short-cuts" are kept in a table, with no alterations
   to the packet filter list made. Subsequent packets, if a matching
   packet is found in the table, are not passed through the list. For TCP
   flows, the filter will follow the ack/sequence numbers of packets and
   only allow packets through which fall inside the correct window.
   
#
# Keep state for all outgoing telnet connections
# and disallow all other TCP traffic.
#
pass out on le1 proto tcp from any to any port = telnet keep state
block out on le1 all
   
   For UDP packets, packet exchanges are effectively stateless. However,
   if a packet is first sent out from a given port, a reply is usually
   expected in answer, in the `reverse' direction.
#
# allow UDP replies back from name servers
#
pass out on le1 proto udp from any to any port = domain keep state
   
   Held UDP state is timed out, as is TCP state for entries added which
   do not have the SYN flag set. If an entry is created with the SYN flag
   set, any subsequent matching packet which doesn't have this flag set
   (ie a SYN-ACK) will cause it to be "timeless" (actually, the timeout
   defaults to 5 days), until either a FIN or RST is seen.

Voici pour les fans de ip-filter.....

alx

 [META]       [   Alexandre Dulaunoy   ] USER, n. The word computer  
 [T]echnology [   [AD4384-DARPA]       ] professionals use when they
 [I]nterface  [   [AD993-RIPE]         ] mean "idiot". 
 [X]change    [   adulau@metatix.com   ] http://unix.be.EU.org/

On Sat, 19 Feb 2000, Cedric Amand wrote:

> Hello Rémi,
> 
> RL> il y a quelques jours il y avait eu une discussion sur les firewals sous
> RL> linux/openbsd.
> RL> Il paraitrait donc que ce serait bien plus sûr sous OpenBSD car c'est
> RL> stateful.
> RL> Comme j'ai installé un firewal sous ipchains, je me pose des questions.
> RL> C'est quoi un FW stateful, et quel est son avantage sur un qui ne l'est pas 
> RL> ?
> RL> Merci,
> 
> Avant tout; ipchains n'est pas un "firewall" au sens au Checkpoint
> ou Raptor font des firewalls. C'est un screening de ports au niveau
> kernel, qui augmenté d'un forwarding ip, donne un pseudo firewall.
> 
> Un firewall stateful (FW1/Raptor/...) retiens l'etat des connections.
> 
> Exemple tout bete, il refuse les ICMP replies si quelqun dans
> le reseau n'a pas lancé d'ICMP echo.
> Avec ipchains , si tu veux pouvoir pinger, tu dois ouvrir l'icmp
> entrant, ce qui permet de smurfer toutes les machines de ton reseau.
> Avec un firewall digne de ce nom, il sait (state) que personne n'a
> demandé d'ICMP echo (par ex. dans la minute précédente) et que donc
> tout icmp reply venu de dieu sait n'a rien a foutre sur le reseau.
> tantdis que si quelqun pinge de l'intérieur, il laisse passer les
> icmp reply a destination de cette IP pendant un temps "x" pour ensuite
> le refermer.
> 
> Etends evidemment ceci a tous les ports, au FTP passif, bref a tous
> les services.
> 
> PS
> J'avais proposé de faire un ptit speech linux security au
> linuxexpo mais j'ai recu une fin de non recevoir ;)
> 
> -- 
> --< Cédric "Ced" Amand >---< Security Manager & Unix Sysadmin >--
> --< http://cedric.net/ >---< @ Skynet - http://www.skynet.be/ >--
> 
> 
> ---------
> Visit the Linux Supertore Online: http://www.redcorp.com !
> If you want to be deleted from the list, send a mail to
> majordomo@rtfm.be with "unsubscribe linux-team" in the body.
> Archive of the list: http://tania.be.linux.org/
> 

 [META]       [   Alexandre Dulaunoy   ] USER, n. The word computer  
 [T]echnology [   [AD4384-DARPA]       ] professionals use when they
 [I]nterface  [   [AD993-RIPE]         ] mean "idiot". 
 [X]change    [   adulau@metatix.com   ] http://unix.be.EU.org/

---------
Visit the Linux Supertore Online: http://www.redcorp.com !
If you want to be deleted from the list, send a mail to
majordomo@rtfm.be with "unsubscribe linux-team" in the body.
Archive of the list: http://tania.be.linux.org/