SYSTEM WARNING: 'date_default_timezone_get(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone.' in '/usr/share/mantis/www/core.php' line 264
Anonymous | Login | 2021-01-25 12:57 UTC | ![]() |
Main | My View | View Issues | Change Log | Roadmap |
View Issue Details [ Jump to Notes ] | [ Issue History ] [ Print ] | ||||||||||
ID | Project | Category | View Status | Date Submitted | Last Update | ||||||
0001768 | Endian Firewall | Firewall (iptables) | public | 2009-04-13 13:10 | 2009-06-10 11:01 | ||||||
Reporter | mike-f | ||||||||||
Assigned To | peter-endian | ||||||||||
Priority | normal | Severity | feature | Reproducibility | always | ||||||
Status | new | Resolution | open | ||||||||
Platform | OS | OS Version | |||||||||
Product Version | 2.2-rc3 | ||||||||||
Target Version | Fixed in Version | ||||||||||
Summary | 0001768: drop new connections without syn-flag via default-ruleset | ||||||||||
Description | iptables command: -p tcp ! --syn -m state --state NEW -j DROP tcp flags:!SYN,RST,ACK/SYN state NEW tcp flags:!0x16/0x02 state NEW | ||||||||||
Additional Information | we want connections to use the correct handshake using sys, syn ack, ack initial (new) connections must have the syn-flag set otherwise we drop the connection as we are stateful | ||||||||||
Tags | No tags attached. | ||||||||||
Attached Files | |||||||||||
![]() |
||||||
|
![]() |
|
(0002135) mike-f (updater) 2009-04-13 13:19 |
for the green-IF we implemented a reject-rule (we don't want to wait for a timeout on our clients) -p tcp ! --syn -m state --state NEW -i eth0 -j REJECT -p tcp ! --syn -m state --state NEW -i br0 -j REJECT |
(0002138) peter-endian (administrator) 2009-04-14 10:57 |
this was in fact so before, but it causes problems when you have a triangle communication where replies don't pass the same path as requests. If you have a router behind a zone you have exactly that constellation and that's a pretty usual scenario. |
(0002142) mike-f (updater) 2009-04-14 12:34 |
referencing bug id 1515? http://bugs.endian.com/view.php?id=1515 [^] somehow not very clear to me: in that constellation you use the same nets on different interfaces? have to reply here as the other bug is closed |
(0002148) peter-endian (administrator) 2009-04-14 19:29 |
made 0001515 more clear. for the vpn firewall (enterprise version) it's even more complicated, since you can have multiple vpn's connected to same sites causing a loop, where it is legitime to have requests using one path and responses another one. i think the best solution would be to make NewNotSyn checks configurable through the rule editor or global option for each firewall section |
(0002149) mike-f (updater) 2009-04-14 19:34 |
some kind of "lockdown-button" sounds good |
![]() |
|||
Date Modified | Username | Field | Change |
2009-04-13 13:10 | mike-f | New Issue | |
2009-04-13 13:10 | mike-f | Assigned To | => peter-endian |
2009-04-13 13:19 | mike-f | Note Added: 0002135 | |
2009-04-14 10:57 | peter-endian | Note Added: 0002138 | |
2009-04-14 12:34 | mike-f | Note Added: 0002142 | |
2009-04-14 19:25 | peter-endian | Relationship added | related to 0001515 |
2009-04-14 19:29 | peter-endian | Note Added: 0002148 | |
2009-04-14 19:34 | mike-f | Note Added: 0002149 | |
2009-06-10 11:01 | peter-endian | Severity | minor => feature |
Copyright © 2000 - 2012 MantisBT Group |