bugzilla-daemon@bugzilla.netfilter.org
2004-Aug-30 18:12 UTC
[Bug 98] state ESTABLISHED allow ipip tunnels
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=98
netfilter@linuxace.com changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |netfilter@linuxace.com
Status|ASSIGNED |RESOLVED
Resolution| |WORKSFORME
------- Additional Comments From netfilter@linuxace.com 2004-08-28 02:31 CEST
-------
I cannot reproduce this on 2.6.8.1. Protocol 4 is indeed treated just like any
other unknown protocol, and dropped if not specifically allowed.
Perhaps the user had an unexpired entry already in conntrack during his
testing...
--
Configure bugmail:
https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
bugzilla-daemon@bugzilla.netfilter.org
2004-Sep-24 15:59 UTC
[Bug 98] state ESTABLISHED allow ipip tunnels
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=98 ------- Additional Comments From elacour@easter-eggs.com 2004-09-24 15:59 CEST ------- (In reply to comment #3)> I cannot reproduce this on 2.6.8.1. Protocol 4 is indeed treated just like any > other unknown protocol, and dropped if not specifically allowed. > > Perhaps the user had an unexpired entry already in conntrack during his testing... >Yes I did the test again and there was a conntrack entry. The time for this conntrack entry seems to be 600 seconds ... this seems a lot no? Look: iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A INPUT -p 4 -j DROP iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p 4 -j DROP then i puted the tunnel up and ping. it blocked (ok). now, I open the ipip iptables -I INPUT -p 4 -j ACCEPT iptables -I OUTPUT -p 4 -j ACCEPT ping is ok i close it before the 600seconds conntrack timeout iptables -D INPUT -p 4 -j ACCEPT iptables -D OUTPUT -p 4 -j ACCEPT ping is ok and for each new ping, it restore the timeout to 600 seconds so even we closed the channel with iptables, people can maintains an open connection. is this a feature or a bug? -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
bugzilla-daemon@bugzilla.netfilter.org
2004-Sep-24 17:32 UTC
[Bug 98] state ESTABLISHED allow ipip tunnels
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=98 ------- Additional Comments From netfilter@linuxace.com 2004-09-24 17:32 CEST ------- This is expected behavior... The first rule of your INPUT chain where you allow ESTABLISHED continues to allow the IPIP tunnel until that conntrack expires (600 seconds as you note). If you want to block this immediately, insert a DROP rule before the ESTABLISHED rule. If you instead wish to lower the timeout, take a look at: /proc/sys/net/ipv4/netfilter/ip_conntrack_generic_timeout you can issue an echo X > /proc/sys/net/ipv4/netfilter/ip_conntrack_generic_timeout where X is the timeout you prefer. -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
bugzilla-daemon@bugzilla.netfilter.org
2004-Sep-24 17:46 UTC
[Bug 98] state ESTABLISHED allow ipip tunnels
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=98 ------- Additional Comments From elacour@easter-eggs.com 2004-09-24 17:46 CEST ------- (In reply to comment #5)> This is expected behavior... > > The first rule of your INPUT chain where you allow ESTABLISHED continues to > allow the IPIP tunnel until that conntrack expires (600 seconds as you note). > > If you want to block this immediately, insert a DROP rule before the > ESTABLISHED rule. If you instead wish to lower the timeout, take a look at: >I now that :)> /proc/sys/net/ipv4/netfilter/ip_conntrack_generic_timeout > > you can issue an > > echo X > /proc/sys/net/ipv4/netfilter/ip_conntrack_generic_timeout > > where X is the timeout you prefer.Thanks, I didn't saw this. You can close the bug now. -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.