SYSTEM WARNING: 'date_default_timezone_get(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone.' in '/usr/share/mantis/www/core.php' line 264
|Anonymous | Login||2021-11-27 02:02 UTC|
|Main | My View | View Issues | Change Log | Roadmap|
|View Issue Details|
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0001768||Endian Firewall||Firewall (iptables)||public||2009-04-13 13:10||2009-06-10 11:01|
|Target Version||Fixed in Version|
|Summary||0001768: drop new connections without syn-flag via default-ruleset|
-p tcp ! --syn -m state --state NEW -j DROP
tcp flags:!SYN,RST,ACK/SYN state NEW
tcp flags:!0x16/0x02 state NEW
|Additional Information||we want connections to use the correct handshake using sys, syn ack, ack|
initial (new) connections must have the syn-flag set
otherwise we drop the connection as we are stateful
|Tags||No tags attached.|
for the green-IF we implemented a reject-rule
(we don't want to wait for a timeout on our clients)
-p tcp ! --syn -m state --state NEW -i eth0 -j REJECT
-p tcp ! --syn -m state --state NEW -i br0 -j REJECT
this was in fact so before, but it causes problems when you have a triangle communication where replies don't pass the same path as requests.
If you have a router behind a zone you have exactly that constellation and that's a pretty usual scenario.
referencing bug id 1515?
somehow not very clear to me:
in that constellation you use the same nets on different interfaces?
have to reply here as the other bug is closed
made 0001515 more clear.
for the vpn firewall (enterprise version) it's even more complicated, since you can have multiple vpn's connected to same sites causing a loop, where it is legitime to have requests using one path and responses another one.
i think the best solution would be to make NewNotSyn checks configurable through the rule editor or global option for each firewall section
|some kind of "lockdown-button" sounds good|
|2009-04-13 13:10||mike-f||New Issue|
|2009-04-13 13:10||mike-f||Assigned To||=> peter-endian|
|2009-04-13 13:19||mike-f||Note Added: 0002135|
|2009-04-14 10:57||peter-endian||Note Added: 0002138|
|2009-04-14 12:34||mike-f||Note Added: 0002142|
|2009-04-14 19:25||peter-endian||Relationship added||related to 0001515|
|2009-04-14 19:29||peter-endian||Note Added: 0002148|
|2009-04-14 19:34||mike-f||Note Added: 0002149|
|2009-06-10 11:01||peter-endian||Severity||minor => feature|
|Copyright © 2000 - 2012 MantisBT Group|