Re: [SLUG] iptables

From: Julian Sasse (clientserver@hotmail.com)
Date: Sun Apr 29 2001 - 14:12:50 EDT


Sorry, I know this doesn't answer your questions (I have yet to set up
iptables myself -- I am still using 2.2.19 until a fixed 2.4 version comes
out) but you should definitely consider these when writing your iptables
rules:
http://www.tempest.com.br/advisories/01-2001.html (*ALL* 2.4-based Linux
distros)
http://www.redhat.com/support/errata/RHSA-2001-052.html (Redhat summary of
the above - no fix yet)
The implication of this advisory is that anyone with any ftp client can
easily make your firewall (practically) useless, and it even provides a
handy Perl script exploit for those script kiddies that are too stupid to
use command-line ftp.

Basically you want to either get the patch (for the 2.4.3 kernel) at
http://netfilter.samba.org/security-fix/ and recompile and/or do NOT use the
following common rule:
iptables -A FORWARD -m state --state ESTABLISHED, RELATED -j ACCEPT
To avoid the rather serious security issue listed in the above advisories,
you have to be a lot more restrictive about the "RELATED" connections you
allow (i.e. only to/from specific IPs, ports, etc.) if you don't have the
patched kernel.

Cheers,
--Julian



This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 19:58:39 EDT