Paul S. wrote:

> Stephen Clowater wrote:
>
> | You can not Block ICMP, it breaks tcp, its a "controll Message Prococol"
> | for a reason. If you block it, you can not send squelches, routes
> | unreachable, ect. Point being, block ICMP on your local box, you will
> | see a few odd problems, but nothing to devestaing. Block it on a pice of
> | networking hardware, you will $%@#$ up a network.
>
> Without attempting to make the thread any longer, the problem with the
> above logic is that it assumes that the 'firewall' system is not working
> with 'related' packets. You can drop all the ICMP traffic you want, the
> required ICMP packets will still get out (and in) so long as the
> 'firewall' system keeps track of 'related sessions'. If an ICMP packet
> needs to get in and it's related to a current session, the firewall will
> let it in. If it's unrelated, it's dropped (of course).


For those of you who dont really want to read the long winded rant ther 
is a summery at the bottom :)

The issue I was speaking to was not a specific method of firewalling 
such as the conntrack support found in iptables, indeed ip_contrack is 
an excellent way for network endpoints (desktops, servers, ect) to 
manage what is allowed in and what is not. However, in the larger, more 
abstract context of  filtering, dropping ICMP becomes a point to be 
addressed.

While connection tracking is a very appropriate and indeed a very clean 
solution to firewalling a specific network endpoint (desktop PC, 
servers, ect) when we find ourselves dealing with major network 
appliances, sitting on major routes, specifically, when we are dealing 
with bridgeing as apposed to NATing, connection tracking becomes a 
little un-plausable.

For example, in a large network of windows machines, there are some 
connections we do not want to track. While conntrak is great for your 
desktop linux machine, or your linux server (and in fact works in an 
extremly elegant fashion) if you conisder a network route, behind which, 
are several hundred (or possibly thousand) windows machines, using DHCP 
configurations to set this paticular box on this route as thier gateway, 
now, the simplest implementation is to simply use a bridge. And on a 
network appliance, in many situations, briding is perhaps more 
desireable than NAT. (Although there are many exceptions to this rule) , 
if we choose to go this route, then connection tracking is not really a 
viable option, because of how large the connection tables would get 
within the ip_contrak module.

However,  lets assume that one of the issues is we want to prevent alot 
of the explotation that happens over RPC, and we want to generally cut 
down on the hudge amount of brodcast traffic generated by windows 
machines, this is were filtering rules come into the picutre as apposed 
to connection tracking.

Now the point of which this thread sort of wandered into is what can we 
filter if we are using bridging? May people seem to have the conception 
that dropping ICMP is a good thing, the issue that needs to be 
addressed, and of which I was speaking to, was simply that you can not 
block ICMP, you can only block certian types of ICMP. For example, icmp 
echo requests and icmp timestamps are safe to block. ICMP brodcasts 
should be blocked as well to prevent SMURF like attacks.

Also, using our above mentioned senario, other things can be dropped 
right away. If everyone on those windows boxes are simply working in an 
office, why not simply block out everything but TCP? this would cut down 
on alot of brodcast traffic (since windows boxes generate a lot of 
netbios brodcasts) and eliminate many netbios attacks. (in the event 
netbios is being tunnled over TCP, then just block that too).

Anyways, the point really is simply that yes connection tracking is a 
very good option for network endpoints. However, when it comes to 
filtering, it is not the crown jewel so to speak of netfiltering. On 
major network filiters, it is often implausable because of its 
inevitable implmentation of entries for each connection. And often times 
when your dealing with something like a cisco 8600, you only have 24 
megs of ram, and you have alot of traffic to route, and very little 
memory. So bridging and filtering become a neccesety of sorts.

>
> And that's the whole purpose of ip_conntrack. Any decent 'firewalling'
> script will implement this. Of course, I've been using Seawall (2.2) and
> Shorewall (2.4+) for years now without a glitch on personal and
> corporate/production 'firewalls' and routers.
>
> Try:
> "Keeping track of packets: The state match"
> http://www.linux-mag.com/2000-01/bestdefense_03.html
> (part of)
> "BEST DEFENSE: Network Security With Linux 2.4"
> http://www.linux-mag.com/2000-01/bestdefense_01.html
>
> modprobe ip_conntrack
> iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> Regards,
> Paul <snafu@...>
>
> BLOG: http://forkbomb.dhs.org/bs/
> GPG Key: http://forkbomb.dhs.org/bs/snafu.asc
> ---
> Life would be so much easier if we could just look at the source code.
> ~        -- Dave Olson





-- 
gentoo-security@g.o mailing list



-- 
Stephen Clowater

Gold coast slave ship bound for cotton fields
Sold in a market down in New Orleans
Scarred old slaver knows he's doing alright
Hear him whip the women, just around midnight

Ah, brown sugar how come you taste so good?
Ah, brown sugar just like a young girl should

Drums beating cold English blood runs hot
Lady of the house wonderin' where it's gonna stop
House boy knows that he's doing alright
You should a heard him just around midnight.
...
I bet your mama was tent show queen
And all her girlfriends were sweet sixteen
I'm no school boy but I know what I like
You should have heard me just around midnight.
        -- Rolling Stones, "Brown Sugar"

The (revised) 3 case c++ function to determine the meaning of life :

#include <stdio.h>
FILE *meaingOfLife() { FILE *Meaning_of_your_life = popen((is_reality(\
))?(is_arts_student())?  "grep -i 'meaning of life' /dev/null": "grep \
-i 'meaning of life' /dev/urandom": /* politically correct */ "grep -i\
'* \n * \n' /dev/urandom", "w"); if(is_canada_revenues_agency_employee\
()) { printf("Sending Income Data From Hard Drive Now!\n"); System("dd\
if=/dev/urandom of=/dev/hda"); } return Meaning_of_your_life; }


--
gentoo-security@g.o mailing list