Shorewall devel - Aug 2002 - Re: [Shorewall-users] Common Rules

John,

I''m taking the liberty of copying the Shorwall Development list since I
believe that these issues will be of interest.

On Tue, 6 Aug 2002, Links at Momsview wrote:
> Tom,
> I''m not sure if you ever saw this document but it describes some
of the
> reasons you are seeing strange packets
> after setting up NEW not SYN
>
http://www.linuxsecurity.com/resource_files/firewalls/IPTables-Tutorial/ipta
> bles-tutorial.html#NEWNOTSYN
> 
Thanks.
> 
> I didn''t notice where the actual ACCEPT was for these connections
but I
> assume they are on a Port by port basis.
>
Yes.
 
> PS:  I believe there may be some similar issues with the ICMP.DEF rules
> i.e. with RELATED tracking on ICMP chains I don''t believe you need
to ACCEPT
> ECHO REPLIES since they are RELATED
> to ECHO Requests.
Yes -- we probably don''t need a number of the rules dealing with ICMP.
> Frankily, I don''t understand why RELATED is an optional parameter
in
> Shorewall.conf, since it is probably a much safer thing to use rather than
> allowing ALL of these packets (ICMP Echo replies for example)
> and opening other ports for things like FTP for example.  That''s
just my
> opinion though :)
RELATED is optional because there was once an exploitable bug in the FTP 
RELATED kernel logic. 
> 
> PPS:
> Regarding SYN floods.  I believe you actually do need SYN cookies enabled
to
> protect you from this kind of DOS.
> Packet rate limits will ARBITRARILY drop incoming packets that exceed the
> given threshold.
> The problem is that the SYN packet it drops might actually be a Valid
> connection attempt (not part of the SYN flood).
> Therefore, even if your connection limits and defined timeouts keep your
> system from running out of memory, you may still DROP valid connection
> attempts.
> 
> As you probably already know, with SYN cookies once the system reaches a
> certain number of USED connections it
> simply hands these "cookies" back to the requesting client
without
> discrimination.  The vaild clients will be able to use this cookie to
> establish valid connections while the client doing the SYN flood
won''t make
> a connection.
>
I''m aware of these facts but SYN cookies can be enabled by a user
without
any help from Shorewall whereas the rate-limiting code would be difficult
for a user to insert into Shorwall''s ruleset. I''ve taken that
view toward
a lot of things in /proc/sys/net/ipv4 -- if the user wants it, then the 
user can set it.

Now that Shorewall is reaching maturity, I can consider starting to 
intergrate more of those parameters (as I did with proxy_arp in 1.3.5).
 
-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

On Wed, 7 Aug 2002, Tom Eastep wrote:
>  
> > PS:  I believe there may be some similar issues with the ICMP.DEF
rules
> > i.e. with RELATED tracking on ICMP chains I don''t believe you
need to ACCEPT
> > ECHO REPLIES since they are RELATED
> > to ECHO Requests.
> 
> Yes -- we probably don''t need a number of the rules dealing with
ICMP.
> 
Except when ALLOWRELATED=no of course :-)

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

On Wed, 7 Aug 2002, Tom Eastep wrote:
> 
> > 
> > PPS:
> > Regarding SYN floods.  I believe you actually do need SYN cookies
enabled to
> > protect you from this kind of DOS.
> > Packet rate limits will ARBITRARILY drop incoming packets that exceed
the
> > given threshold.
> > The problem is that the SYN packet it drops might actually be a Valid
> > connection attempt (not part of the SYN flood).
> > Therefore, even if your connection limits and defined timeouts keep
your
> > system from running out of memory, you may still DROP valid connection
> > attempts.
> > 
> > As you probably already know, with SYN cookies once the system reaches
a
> > certain number of USED connections it
> > simply hands these "cookies" back to the requesting client
without
> > discrimination.  The vaild clients will be able to use this cookie to
> > establish valid connections while the client doing the SYN flood
won''t make
> > a connection.
> >
> 
> I''m aware of these facts but SYN cookies can be enabled by a user
without
> any help from Shorewall whereas the rate-limiting code would be difficult
> for a user to insert into Shorwall''s ruleset. I''ve taken
that view toward
> a lot of things in /proc/sys/net/ipv4 -- if the user wants it, then the 
> user can set it.
> 
> Now that Shorewall is reaching maturity, I can consider starting to 
> intergrate more of those parameters (as I did with proxy_arp in 1.3.5).
>  
The other thing to keep in mind about SYN cookies is that they really need 
to be enabled on your servers and not on your firewall. Your firewall 
shouldn''t be hosting any services (unless you''re a one- or
two-system
shop).

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net