bugzilla-daemon at netfilter.org
2013-Oct-31 02:14 UTC
[Bug 870] New: Iptables cannot block outbound packets sent by Nessus
https://bugzilla.netfilter.org/show_bug.cgi?id=870 Summary: Iptables cannot block outbound packets sent by Nessus Product: iptables Version: 1.4.x Platform: x86_64 OS/Version: Ubuntu Status: NEW Severity: normal Priority: P5 Component: iptables AssignedTo: netfilter-buglog at lists.netfilter.org ReportedBy: Mitsuaki_Shiraishi at symantec.com Estimated Hours: 0.0 Iptables on Ubuntu 13.10 cannot block outbound packets sent by Nessus. [TESTED ENVIRONMENT] * Iptables v1.4.18 * Ubuntu 13.10 on x86_64 (Kali Linux 1.0.5 64bit may also be affected) * Nessus 5.2.4 * Nmap 6.40 * Hping3 3.0.0-alpha-2 * Local ip: 192.168.2.100 * Remote ip: 192.168.2.99 [FINDING] Iptables cannot block outbound packets sent by local Nessus daemon. Setting OUTPUT chain's policy DROP and appending rule that ACCEPT loopback interface should be block any outbound packets through eth1. However, by running Nessus scan, some TCP/UDP/ICMP packets is sent to remote server through eth1. Other attempt I tested to beyond iptables are blocked properly. I have no idea how nessus beyonds iptables. But I believe this should be treat as a vulnerability of iptables. [TEST PATTERN] * Tested iptables' settings (A) No packet filter (B) Accept loopback only (C) Accept loopback only + all reject rule * Tested methods to send packets (a) Telnet to remote server (b) Dig to remote server (c) Ping to remote server (d) Nmap TCP SYN scan (e) Hping3 to sent TCP SYN packets (f) Hping3 to sent UDP datagrams (g) Hping3 to sent ICMP echo requests (h) Nessus with default policy "External Network Scan" [SUMMARY OF TEST RESULT] * Any iptables' setting cannot block certain Nessus' packets. * Iptables' setting (B) and (C) block tested methods (a)-(g) properly. [TEST RESULT] (A) Iptables rule 01: no packet filter * No packet filter rule is enabled * All tested methods are passed iptables (A-1) Shell script # cat iptables-flush.sh #!/bin/bash IPTABLES="/sbin/iptables" ${IPTABLES} -F ${IPTABLES} -X ${IPTABLES} -Z ${IPTABLES} -P INPUT ACCEPT ${IPTABLES} -P OUTPUT ACCEPT ${IPTABLES} -P FORWARD ACCEPT ${IPTABLES} -nvL (A-2) Result # ./iptables-flush.sh Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination (A-3) Tested methods and result (a) Telnet to remote server # telnet 192.168.2.99 80 Trying 192.168.2.99... Connected to 192.168.2.99. Escape character is '^]'. GET / HTTP/1.0 HTTP/1.1 401 Unauthorized Server: GoAhead-Webs Date: Wed Oct 30 23:54:21 2013 WWW-Authenticate: Basic realm=" " Pragma: no-cache Cache-Control: no-cache Content-Type: text/html Connection closed by foreign host. (b) Dig to remote server # dig www.google.com @192.168.2.99 ; <<>> DiG 9.9.3-rpz2+rl.13214.22-P2-Ubuntu-1:9.9.3.dfsg.P2-4ubuntu1 <<>> www.google.com @192.168.2.99 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41013 ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 4, ADDITIONAL: 5 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.google.com. IN A ;; ANSWER SECTION: www.google.com. 191 IN A 173.194.38.113 www.google.com. 191 IN A 173.194.38.114 www.google.com. 191 IN A 173.194.38.115 www.google.com. 191 IN A 173.194.38.116 www.google.com. 191 IN A 173.194.38.112 ;; AUTHORITY SECTION: google.com. 56291 IN NS ns4.google.com. google.com. 56291 IN NS ns2.google.com. google.com. 56291 IN NS ns3.google.com. google.com. 56291 IN NS ns1.google.com. ;; ADDITIONAL SECTION: ns1.google.com. 230430 IN A 216.239.32.10 ns2.google.com. 230175 IN A 216.239.34.10 ns3.google.com. 229166 IN A 216.239.36.10 ns4.google.com. 230041 IN A 216.239.38.10 ;; Query time: 14 msec ;; SERVER: 192.168.2.99#53(192.168.2.99) ;; WHEN: Wed Oct 30 23:54:49 JST 2013 ;; MSG SIZE rcvd: 259 (c) Ping to remote server # ping -c 3 192.168.2.99 PING 192.168.2.99 (192.168.2.99) 56(84) bytes of data. 64 bytes from 192.168.2.99: icmp_seq=1 ttl=64 time=0.847 ms 64 bytes from 192.168.2.99: icmp_seq=2 ttl=64 time=0.793 ms 64 bytes from 192.168.2.99: icmp_seq=3 ttl=64 time=0.800 ms --- 192.168.2.99 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2000ms rtt min/avg/max/mdev = 0.793/0.813/0.847/0.033 ms (d) Nmap TCP SYN scan # nmap -nvv -r -Pn -sS -F --reason 192.168.2.99 Starting Nmap 6.40 ( http://nmap.org ) at 2013-10-30 23:56 JST Initiating ARP Ping Scan at 23:56 Scanning 192.168.2.99 [1 port] Completed ARP Ping Scan at 23:56, 0.03s elapsed (1 total hosts) Initiating SYN Stealth Scan at 23:56 Scanning 192.168.2.99 [100 ports] Discovered open port 53/tcp on 192.168.2.99 Discovered open port 80/tcp on 192.168.2.99 Completed SYN Stealth Scan at 23:56, 0.09s elapsed (100 total ports) Nmap scan report for 192.168.2.99 Host is up, received arp-response (0.011s latency). Scanned at 2013-10-30 23:56:17 JST for 1s Not shown: 98 closed ports Reason: 98 resets PORT STATE SERVICE REASON 53/tcp open domain syn-ack 80/tcp open http syn-ack MAC Address: 00:01:8E:7B:AF:D0 (Logitec) Read data files from: /usr/bin/../share/nmap Nmap done: 1 IP address (1 host up) scanned in 0.30 seconds Raw packets sent: 101 (4.428KB) | Rcvd: 101 (4.036KB) (e) Hping3 to sent TCP SYN packets # hping3 -n -V -c 3 -S -p 80 192.168.2.99 using eth1, addr: 192.168.2.100, MTU: 1500 HPING 192.168.2.99 (eth1 192.168.2.99): S set, 40 headers + 0 data bytes len=46 ip=192.168.2.99 ttl=64 DF id=0 tos=0 iplen=44 sport=80 flags=SA seq=0 win=5840 rtt=1.1 ms seq=1297713297 ack=947911264 sum=4de9 urp=0 len=46 ip=192.168.2.99 ttl=64 DF id=0 tos=0 iplen=44 sport=80 flags=SA seq=1 win=5840 rtt=0.8 ms seq=1302142566 ack=1170559117 sum=c1ef urp=0 len=46 ip=192.168.2.99 ttl=64 DF id=0 tos=0 iplen=44 sport=80 flags=SA seq=2 win=5840 rtt=0.9 ms seq=1329926636 ack=1327164082 sum=1857 urp=0 --- 192.168.2.99 hping statistic --- 3 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max = 0.8/0.9/1.1 ms (f) Hping3 to sent UDP datagrams # hping3 -n -V -c 3 --udp -p 53 192.168.2.99 using eth1, addr: 192.168.2.100, MTU: 1500 HPING 192.168.2.99 (eth1 192.168.2.99): udp mode set, 28 headers + 0 data bytes --- 192.168.2.99 hping statistic --- 3 packets transmitted, 0 packets received, 100% packet loss round-trip min/avg/max = 0.0/0.0/0.0 ms no packet received: expected result (g) Hping3 to sent ICMP echo requests # hping3 -n -V -c 3 --icmp 192.168.2.99 using eth1, addr: 192.168.2.100, MTU: 1500 HPING 192.168.2.99 (eth1 192.168.2.99): icmp mode set, 28 headers + 0 data bytes len=46 ip=192.168.2.99 ttl=64 id=62300 tos=0 iplen=28 icmp_seq=0 rtt=0.8 ms len=46 ip=192.168.2.99 ttl=64 id=62301 tos=0 iplen=28 icmp_seq=1 rtt=0.8 ms len=46 ip=192.168.2.99 ttl=64 id=62302 tos=0 iplen=28 icmp_seq=2 rtt=0.9 ms --- 192.168.2.99 hping statistic --- 3 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max = 0.8/0.8/0.9 ms (h) Nessus with default policy "External Network Scan" This test was omitted for this test case. (B) iptables rule 02: accept loopback only * Allow packets through loopback interface only * But nessus beyonds iptables and packets reach to remote server (B-1) Shell script # cat iptables-drop.sh #!/bin/bash IPTABLES="/sbin/iptables" ${IPTABLES} -F ${IPTABLES} -X ${IPTABLES} -Z ${IPTABLES} -P INPUT ACCEPT ${IPTABLES} -P OUTPUT DROP ${IPTABLES} -P FORWARD ACCEPT ${IPTABLES} -A OUTPUT -o lo -j ACCEPT ${IPTABLES} -nvL (B-2) Result # ./iptables-drop.sh Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 (B-3) Tested methods and result (a) Telnet to remote server # telnet 192.168.2.99 80 Trying 192.168.2.99... ^C (b) Dig to remote server # dig www.google.com @192.168.2.99 ; <<>> DiG 9.9.3-rpz2+rl.13214.22-P2-Ubuntu-1:9.9.3.dfsg.P2-4ubuntu1 <<>> www.google.com @192.168.2.99 ;; global options: +cmd ;; connection timed out; no servers could be reached (c) Ping to remote server # ping -c 3 192.168.2.99 PING 192.168.2.99 (192.168.2.99) 56(84) bytes of data. ping: sendmsg: Operation not permitted ping: sendmsg: Operation not permitted ping: sendmsg: Operation not permitted --- 192.168.2.99 ping statistics --- 3 packets transmitted, 0 received, 100% packet loss, time 2016ms (d) Nmap TCP SYN scan # nmap -nvv -r -Pn -sS -F --reason 192.168.2.99 Starting Nmap 6.40 ( http://nmap.org ) at 2013-10-31 00:07 JST Initiating ARP Ping Scan at 00:07 Scanning 192.168.2.99 [1 port] Completed ARP Ping Scan at 00:07, 0.04s elapsed (1 total hosts) Initiating SYN Stealth Scan at 00:07 Scanning 192.168.2.99 [100 ports] sendto in send_ip_packet_sd: sendto(5, packet, 44, 0, 192.168.2.99, 16) => Operation not permitted Offending packet: TCP 192.168.2.100:58171 > 192.168.2.99:7 S ttl=52 id=64640 iplen=44 seq=3821504810 win=1024 <mss 1460> sendto in send_ip_packet_sd: sendto(5, packet, 44, 0, 192.168.2.99, 16) => Operation not permitted Offending packet: TCP 192.168.2.100:58171 > 192.168.2.99:9 S ttl=42 id=61018 iplen=44 seq=3821504810 win=1024 <mss 1460> sendto in send_ip_packet_sd: sendto(5, packet, 44, 0, 192.168.2.99, 16) => Operation not permitted Offending packet: TCP 192.168.2.100:58171 > 192.168.2.99:13 S ttl=44 id=35727 iplen=44 seq=3821504810 win=1024 <mss 1460> sendto in send_ip_packet_sd: sendto(5, packet, 44, 0, 192.168.2.99, 16) => Operation not permitted Offending packet: TCP 192.168.2.100:58171 > 192.168.2.99:21 S ttl=45 id=29202 iplen=44 seq=3821504810 win=1024 <mss 1460> sendto in send_ip_packet_sd: sendto(5, packet, 44, 0, 192.168.2.99, 16) => Operation not permitted Offending packet: TCP 192.168.2.100:58171 > 192.168.2.99:22 S ttl=48 id=35616 iplen=44 seq=3821504810 win=1024 <mss 1460> sendto in send_ip_packet_sd: sendto(5, packet, 44, 0, 192.168.2.99, 16) => Operation not permitted Offending packet: TCP 192.168.2.100:58171 > 192.168.2.99:23 S ttl=52 id=55957 iplen=44 seq=3821504810 win=1024 <mss 1460> sendto in send_ip_packet_sd: sendto(5, packet, 44, 0, 192.168.2.99, 16) => Operation not permitted Offending packet: TCP 192.168.2.100:58171 > 192.168.2.99:25 S ttl=46 id=12696 iplen=44 seq=3821504810 win=1024 <mss 1460> sendto in send_ip_packet_sd: sendto(5, packet, 44, 0, 192.168.2.99, 16) => Operation not permitted Offending packet: TCP 192.168.2.100:58171 > 192.168.2.99:26 S ttl=37 id=42157 iplen=44 seq=3821504810 win=1024 <mss 1460> sendto in send_ip_packet_sd: sendto(5, packet, 44, 0, 192.168.2.99, 16) => Operation not permitted Offending packet: TCP 192.168.2.100:58171 > 192.168.2.99:37 S ttl=43 id=28216 iplen=44 seq=3821504810 win=1024 <mss 1460> sendto in send_ip_packet_sd: sendto(5, packet, 44, 0, 192.168.2.99, 16) => Operation not permitted Offending packet: TCP 192.168.2.100:58171 > 192.168.2.99:53 S ttl=41 id=46693 iplen=44 seq=3821504810 win=1024 <mss 1460> Omitting future Sendto error messages now that 10 have been shown. Use -d2 if you really want to see them. Completed SYN Stealth Scan at 00:07, 3.04s elapsed (100 total ports) Nmap scan report for 192.168.2.99 Host is up, received arp-response (0.00045s latency). All 100 scanned ports on 192.168.2.99 are filtered because of 100 no-responses MAC Address: 00:01:8E:7B:AF:D0 (Logitec) Read data files from: /usr/bin/../share/nmap Nmap done: 1 IP address (1 host up) scanned in 3.25 seconds Raw packets sent: 1 (28B) | Rcvd: 1 (28B) (e) Hping3 to sent TCP SYN packets # hping3 -n -V -c 3 -S -p 80 192.168.2.99 using eth1, addr: 192.168.2.100, MTU: 1500 HPING 192.168.2.99 (eth1 192.168.2.99): S set, 40 headers + 0 data bytes [send_ip] sendto: Operation not permitted (f) Hping3 to sent UDP datagrams # hping3 -n -V -c 3 --udp -p 53 192.168.2.99 using eth1, addr: 192.168.2.100, MTU: 1500 HPING 192.168.2.99 (eth1 192.168.2.99): udp mode set, 28 headers + 0 data bytes [send_ip] sendto: Operation not permitted (g) Hping3 to sent ICMP echo requests # hping3 -n -V -c 3 --icmp 192.168.2.99 using eth1, addr: 192.168.2.100, MTU: 1500 HPING 192.168.2.99 (eth1 192.168.2.99): icmp mode set, 28 headers + 0 data bytes [send_ip] sendto: Operation not permitted (h) Nessus with default policy "External Network Scan" Some TCP(SYN)/UDP/ICMP packets reached to remote server Please see attachment: caseB_01_tcp_syn.jpg caseB_02_udp.jpg caseB_03_icmp.jpg (C) iptables rule 03: Adding rule ALL REJECT * Allow packets through loopback interface only * Appended rule that REJECT any outbound traffic * But nessus beyonds iptables and packets reach to remote server (C-1) Shell script # cat iptables-reject.sh #!/bin/bash IPTABLES="/sbin/iptables" ${IPTABLES} -F ${IPTABLES} -X ${IPTABLES} -Z ${IPTABLES} -P INPUT ACCEPT ${IPTABLES} -P OUTPUT DROP ${IPTABLES} -P FORWARD ACCEPT ${IPTABLES} -A OUTPUT -o lo -j ACCEPT ${IPTABLES} -A OUTPUT -j REJECT ${IPTABLES} -nvL (C-2) Result # ./iptables-reject.sh Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable (C-3) Tested methods and result (a) Telnet to remote server # telnet 192.168.2.99 80 Trying 192.168.2.99... telnet: Unable to connect to remote host: Connection refused (b) Dig to remote server # dig www.google.com @192.168.2.99 ; <<>> DiG 9.9.3-rpz2+rl.13214.22-P2-Ubuntu-1:9.9.3.dfsg.P2-4ubuntu1 <<>> www.google.com @192.168.2.99 ;; global options: +cmd ;; connection timed out; no servers could be reached (c) Ping to remote server # ping -c 3 192.168.2.99 PING 192.168.2.99 (192.168.2.99) 56(84) bytes of data.>From 192.168.2.100 icmp_seq=1 Destination Port Unreachable >From 192.168.2.100 icmp_seq=1 Destination Port Unreachable >From 192.168.2.100 icmp_seq=1 Destination Port Unreachable--- 192.168.2.99 ping statistics --- 0 packets transmitted, 0 received, +3 errors (d) Nmap TCP SYN scan # nmap -nvv -r -Pn -sS -F --reason 192.168.2.99 Starting Nmap 6.40 ( http://nmap.org ) at 2013-10-31 00:30 JST Initiating ARP Ping Scan at 00:30 Scanning 192.168.2.99 [1 port] Completed ARP Ping Scan at 00:30, 0.02s elapsed (1 total hosts) Initiating SYN Stealth Scan at 00:30 Scanning 192.168.2.99 [100 ports] sendto in send_ip_packet_sd: sendto(5, packet, 44, 0, 192.168.2.99, 16) => Operation not permitted Offending packet: TCP 192.168.2.100:33557 > 192.168.2.99:7 S ttl=40 id=19747 iplen=44 seq=2093450241 win=1024 <mss 1460> sendto in send_ip_packet_sd: sendto(5, packet, 44, 0, 192.168.2.99, 16) => Operation not permitted Offending packet: TCP 192.168.2.100:33557 > 192.168.2.99:9 S ttl=43 id=17256 iplen=44 seq=2093450241 win=1024 <mss 1460> sendto in send_ip_packet_sd: sendto(5, packet, 44, 0, 192.168.2.99, 16) => Operation not permitted Offending packet: TCP 192.168.2.100:33557 > 192.168.2.99:13 S ttl=44 id=58489 iplen=44 seq=2093450241 win=1024 <mss 1460> sendto in send_ip_packet_sd: sendto(5, packet, 44, 0, 192.168.2.99, 16) => Operation not permitted Offending packet: TCP 192.168.2.100:33557 > 192.168.2.99:21 S ttl=56 id=23589 iplen=44 seq=2093450241 win=1024 <mss 1460> sendto in send_ip_packet_sd: sendto(5, packet, 44, 0, 192.168.2.99, 16) => Operation not permitted Offending packet: TCP 192.168.2.100:33557 > 192.168.2.99:22 S ttl=55 id=11195 iplen=44 seq=2093450241 win=1024 <mss 1460> sendto in send_ip_packet_sd: sendto(5, packet, 44, 0, 192.168.2.99, 16) => Operation not permitted Offending packet: TCP 192.168.2.100:33557 > 192.168.2.99:23 S ttl=51 id=16902 iplen=44 seq=2093450241 win=1024 <mss 1460> sendto in send_ip_packet_sd: sendto(5, packet, 44, 0, 192.168.2.99, 16) => Operation not permitted Offending packet: TCP 192.168.2.100:33557 > 192.168.2.99:25 S ttl=41 id=54720 iplen=44 seq=2093450241 win=1024 <mss 1460> sendto in send_ip_packet_sd: sendto(5, packet, 44, 0, 192.168.2.99, 16) => Operation not permitted Offending packet: TCP 192.168.2.100:33557 > 192.168.2.99:26 S ttl=42 id=15150 iplen=44 seq=2093450241 win=1024 <mss 1460> sendto in send_ip_packet_sd: sendto(5, packet, 44, 0, 192.168.2.99, 16) => Operation not permitted Offending packet: TCP 192.168.2.100:33557 > 192.168.2.99:37 S ttl=37 id=32665 iplen=44 seq=2093450241 win=1024 <mss 1460> sendto in send_ip_packet_sd: sendto(5, packet, 44, 0, 192.168.2.99, 16) => Operation not permitted Offending packet: TCP 192.168.2.100:33557 > 192.168.2.99:53 S ttl=54 id=34713 iplen=44 seq=2093450241 win=1024 <mss 1460> Omitting future Sendto error messages now that 10 have been shown. Use -d2 if you really want to see them. Completed SYN Stealth Scan at 00:30, 3.06s elapsed (100 total ports) Nmap scan report for 192.168.2.99 Host is up, received arp-response (0.00040s latency). All 100 scanned ports on 192.168.2.99 are filtered because of 100 no-responses MAC Address: 00:01:8E:7B:AF:D0 (Logitec) Read data files from: /usr/bin/../share/nmap Nmap done: 1 IP address (1 host up) scanned in 3.27 seconds Raw packets sent: 1 (28B) | Rcvd: 1 (28B) (e) Hping3 to sent TCP SYN packets # hping3 -n -V -c 3 -S -p 80 192.168.2.99 using eth1, addr: 192.168.2.100, MTU: 1500 HPING 192.168.2.99 (eth1 192.168.2.99): S set, 40 headers + 0 data bytes [send_ip] sendto: Operation not permitted (f) Hping3 to sent UDP datagrams # hping3 -n -V -c 3 --udp -p 53 192.168.2.99 using eth1, addr: 192.168.2.100, MTU: 1500 HPING 192.168.2.99 (eth1 192.168.2.99): udp mode set, 28 headers + 0 data bytes [send_ip] sendto: Operation not permitted (g) Hping3 to sent ICMP echo requests # hping3 -n -V -c 3 --icmp 192.168.2.99 using eth1, addr: 192.168.2.100, MTU: 1500 HPING 192.168.2.99 (eth1 192.168.2.99): icmp mode set, 28 headers + 0 data bytes [send_ip] sendto: Operation not permitted (h) Nessus with default policy "External Network Scan" Some TCP(SYN)/UDP/ICMP packets reached to remote server Please see attachment: caseC_01_tcp_syn.jpg caseC_02_udp.jpg caseC_03_icmp.jpg (D) current rule # iptables -nvL Chain INPUT (policy ACCEPT 72729 packets, 4540K bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 6668 1882K ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 1229 66035 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable ___________________________________________________ Mitsuaki_Shiraishi at symantec.com We protect the world?s people and information. ___________________________________________________ -- Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
bugzilla-daemon at netfilter.org
2013-Oct-31 02:17 UTC
[Bug 870] Iptables cannot block outbound packets sent by Nessus
https://bugzilla.netfilter.org/show_bug.cgi?id=870 --- Comment #1 from Mitsuaki_Shiraishi at symantec.com 2013-10-31 03:17:28 CET --- Created attachment 419 --> https://bugzilla.netfilter.org/attachment.cgi?id=419 Screenshots of Wireshark which show outbound packets sent by Nessus -- Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
bugzilla-daemon at netfilter.org
2013-Oct-31 02:18 UTC
[Bug 870] Iptables cannot block outbound packets sent by Nessus
https://bugzilla.netfilter.org/show_bug.cgi?id=870 --- Comment #2 from Mitsuaki_Shiraishi at symantec.com 2013-10-31 03:18:01 CET --- Created attachment 420 --> https://bugzilla.netfilter.org/attachment.cgi?id=420 Screenshots 2/6 -- Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
bugzilla-daemon at netfilter.org
2013-Oct-31 02:18 UTC
[Bug 870] Iptables cannot block outbound packets sent by Nessus
https://bugzilla.netfilter.org/show_bug.cgi?id=870 --- Comment #3 from Mitsuaki_Shiraishi at symantec.com 2013-10-31 03:18:46 CET --- Created attachment 421 --> https://bugzilla.netfilter.org/attachment.cgi?id=421 Screenshots 3/6 -- Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
bugzilla-daemon at netfilter.org
2013-Oct-31 02:19 UTC
[Bug 870] Iptables cannot block outbound packets sent by Nessus
https://bugzilla.netfilter.org/show_bug.cgi?id=870 --- Comment #4 from Mitsuaki_Shiraishi at symantec.com 2013-10-31 03:19:09 CET --- Created attachment 422 --> https://bugzilla.netfilter.org/attachment.cgi?id=422 Screenshots 4/6 -- Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
bugzilla-daemon at netfilter.org
2013-Oct-31 02:19 UTC
[Bug 870] Iptables cannot block outbound packets sent by Nessus
https://bugzilla.netfilter.org/show_bug.cgi?id=870 --- Comment #5 from Mitsuaki_Shiraishi at symantec.com 2013-10-31 03:19:33 CET --- Created attachment 423 --> https://bugzilla.netfilter.org/attachment.cgi?id=423 Screenshots 5/6 -- Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
bugzilla-daemon at netfilter.org
2013-Oct-31 02:19 UTC
[Bug 870] Iptables cannot block outbound packets sent by Nessus
https://bugzilla.netfilter.org/show_bug.cgi?id=870 --- Comment #6 from Mitsuaki_Shiraishi at symantec.com 2013-10-31 03:19:52 CET --- Created attachment 424 --> https://bugzilla.netfilter.org/attachment.cgi?id=424 Screenshots 6/6 -- Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
bugzilla-daemon at netfilter.org
2013-Oct-31 16:55 UTC
[Bug 870] Iptables cannot block outbound packets sent by Nessus
https://bugzilla.netfilter.org/show_bug.cgi?id=870 Phil Oester <netfilter at linuxace.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED CC| |netfilter at linuxace.com Resolution| |INVALID --- Comment #7 from Phil Oester <netfilter at linuxace.com> 2013-10-31 17:55:15 CET --- Nessus uses raw sockets, which bypass the Linux IP stack completely. This behavior is not unexpected. Run nessus as a non-root user (if possible) and it will not be able to use raw sockets. Closing. -- Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.