SYSTEM WARNING: 'date_default_timezone_get(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone.' in '/usr/share/mantis/www/core.php' line 264

0001768: drop new connections without syn-flag via default-ruleset - MantisBT Endian Bugtracker
Endian Issue Tracker





Please see now our new Bugtracker system: JIRA








View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0001768Endian FirewallFirewall (iptables)public2009-04-13 13:102009-06-10 11:01
Reportermike-f 
Assigned Topeter-endian 
PrioritynormalSeverityfeatureReproducibilityalways
StatusnewResolutionopen 
PlatformOSOS Version
Product Version2.2-rc3 
Target VersionFixed in Version 
Summary0001768: drop new connections without syn-flag via default-ruleset
Descriptioniptables command:
-p tcp ! --syn -m state --state NEW -j DROP


tcp flags:!SYN,RST,ACK/SYN state NEW
tcp flags:!0x16/0x02 state NEW
Additional Informationwe want connections to use the correct handshake using sys, syn ack, ack

initial (new) connections must have the syn-flag set
otherwise we drop the connection as we are stateful
TagsNo tags attached.
Attached Files

- Relationships
related to 0001515closedpeter-endian zonefw: --state NEW check blocks communication to clients behind a router due to triangle connection 

-  Notes
(0002135)
mike-f (updater)
2009-04-13 13:19

for the green-IF we implemented a reject-rule
(we don't want to wait for a timeout on our clients)

-p tcp ! --syn -m state --state NEW -i eth0 -j REJECT
-p tcp ! --syn -m state --state NEW -i br0 -j REJECT
(0002138)
peter-endian (administrator)
2009-04-14 10:57

this was in fact so before, but it causes problems when you have a triangle communication where replies don't pass the same path as requests.

If you have a router behind a zone you have exactly that constellation and that's a pretty usual scenario.
(0002142)
mike-f (updater)
2009-04-14 12:34

referencing bug id 1515?
http://bugs.endian.com/view.php?id=1515 [^]

somehow not very clear to me:
in that constellation you use the same nets on different interfaces?

have to reply here as the other bug is closed
(0002148)
peter-endian (administrator)
2009-04-14 19:29

made 0001515 more clear.

for the vpn firewall (enterprise version) it's even more complicated, since you can have multiple vpn's connected to same sites causing a loop, where it is legitime to have requests using one path and responses another one.

i think the best solution would be to make NewNotSyn checks configurable through the rule editor or global option for each firewall section
(0002149)
mike-f (updater)
2009-04-14 19:34

some kind of "lockdown-button" sounds good

- Issue History
Date Modified Username Field Change
2009-04-13 13:10 mike-f New Issue
2009-04-13 13:10 mike-f Assigned To => peter-endian
2009-04-13 13:19 mike-f Note Added: 0002135
2009-04-14 10:57 peter-endian Note Added: 0002138
2009-04-14 12:34 mike-f Note Added: 0002142
2009-04-14 19:25 peter-endian Relationship added related to 0001515
2009-04-14 19:29 peter-endian Note Added: 0002148
2009-04-14 19:34 mike-f Note Added: 0002149
2009-06-10 11:01 peter-endian Severity minor => feature

Copyright © 2005-2008 Endian, SRL. All rights reserved.


Copyright © 2000 - 2012 MantisBT Group
Powered by Mantis Bugtracker