Gentoo Archives: gentoo-security

From: Stephen Clowater <steve@×××××××××××××××××.org>
To: "Paul S." <snafu@××××××××××××.org>, gentoo-security@l.g.o
Subject: Re: [gentoo-security] firewall suggestions?
Date: Sun, 11 Jan 2004 20:02:37
In Reply to: Re: [gentoo-security] firewall suggestions? by "Paul S."
Paul S. wrote:

> Stephen Clowater wrote: > > | You can not Block ICMP, it breaks tcp, its a "controll Message Prococol" > | for a reason. If you block it, you can not send squelches, routes > | unreachable, ect. Point being, block ICMP on your local box, you will > | see a few odd problems, but nothing to devestaing. Block it on a pice of > | networking hardware, you will $%@#$ up a network. > > Without attempting to make the thread any longer, the problem with the > above logic is that it assumes that the 'firewall' system is not working > with 'related' packets. You can drop all the ICMP traffic you want, the > required ICMP packets will still get out (and in) so long as the > 'firewall' system keeps track of 'related sessions'. If an ICMP packet > needs to get in and it's related to a current session, the firewall will > let it in. If it's unrelated, it's dropped (of course).
For those of you who dont really want to read the long winded rant ther is a summery at the bottom :) The issue I was speaking to was not a specific method of firewalling such as the conntrack support found in iptables, indeed ip_contrack is an excellent way for network endpoints (desktops, servers, ect) to manage what is allowed in and what is not. However, in the larger, more abstract context of filtering, dropping ICMP becomes a point to be addressed. While connection tracking is a very appropriate and indeed a very clean solution to firewalling a specific network endpoint (desktop PC, servers, ect) when we find ourselves dealing with major network appliances, sitting on major routes, specifically, when we are dealing with bridgeing as apposed to NATing, connection tracking becomes a little un-plausable. For example, in a large network of windows machines, there are some connections we do not want to track. While conntrak is great for your desktop linux machine, or your linux server (and in fact works in an extremly elegant fashion) if you conisder a network route, behind which, are several hundred (or possibly thousand) windows machines, using DHCP configurations to set this paticular box on this route as thier gateway, now, the simplest implementation is to simply use a bridge. And on a network appliance, in many situations, briding is perhaps more desireable than NAT. (Although there are many exceptions to this rule) , if we choose to go this route, then connection tracking is not really a viable option, because of how large the connection tables would get within the ip_contrak module. However, lets assume that one of the issues is we want to prevent alot of the explotation that happens over RPC, and we want to generally cut down on the hudge amount of brodcast traffic generated by windows machines, this is were filtering rules come into the picutre as apposed to connection tracking. Now the point of which this thread sort of wandered into is what can we filter if we are using bridging? May people seem to have the conception that dropping ICMP is a good thing, the issue that needs to be addressed, and of which I was speaking to, was simply that you can not block ICMP, you can only block certian types of ICMP. For example, icmp echo requests and icmp timestamps are safe to block. ICMP brodcasts should be blocked as well to prevent SMURF like attacks. Also, using our above mentioned senario, other things can be dropped right away. If everyone on those windows boxes are simply working in an office, why not simply block out everything but TCP? this would cut down on alot of brodcast traffic (since windows boxes generate a lot of netbios brodcasts) and eliminate many netbios attacks. (in the event netbios is being tunnled over TCP, then just block that too). Anyways, the point really is simply that yes connection tracking is a very good option for network endpoints. However, when it comes to filtering, it is not the crown jewel so to speak of netfiltering. On major network filiters, it is often implausable because of its inevitable implmentation of entries for each connection. And often times when your dealing with something like a cisco 8600, you only have 24 megs of ram, and you have alot of traffic to route, and very little memory. So bridging and filtering become a neccesety of sorts.
> > And that's the whole purpose of ip_conntrack. Any decent 'firewalling' > script will implement this. Of course, I've been using Seawall (2.2) and > Shorewall (2.4+) for years now without a glitch on personal and > corporate/production 'firewalls' and routers. > > Try: > "Keeping track of packets: The state match" > > (part of) > "BEST DEFENSE: Network Security With Linux 2.4" > > > modprobe ip_conntrack > iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > > Regards, > Paul <snafu@××××××××××××.org> > > BLOG: > GPG Key: > --- > Life would be so much easier if we could just look at the source code. > ~ -- Dave Olson
-- gentoo-security@g.o mailing list -- Stephen Clowater Gold coast slave ship bound for cotton fields Sold in a market down in New Orleans Scarred old slaver knows he's doing alright Hear him whip the women, just around midnight Ah, brown sugar how come you taste so good? Ah, brown sugar just like a young girl should Drums beating cold English blood runs hot Lady of the house wonderin' where it's gonna stop House boy knows that he's doing alright You should a heard him just around midnight. ... I bet your mama was tent show queen And all her girlfriends were sweet sixteen I'm no school boy but I know what I like You should have heard me just around midnight. -- Rolling Stones, "Brown Sugar" The (revised) 3 case c++ function to determine the meaning of life : #include <stdio.h> FILE *meaingOfLife() { FILE *Meaning_of_your_life = popen((is_reality(\ ))?(is_arts_student())? "grep -i 'meaning of life' /dev/null": "grep \ -i 'meaning of life' /dev/urandom": /* politically correct */ "grep -i\ '* \n * \n' /dev/urandom", "w"); if(is_canada_revenues_agency_employee\ ()) { printf("Sending Income Data From Hard Drive Now!\n"); System("dd\ if=/dev/urandom of=/dev/hda"); } return Meaning_of_your_life; } -- gentoo-security@g.o mailing list