Hi folks
I have 3 issues with netfilter and the 2.4 kernel (RH 7.1)
1. I was wondering if any of you know why some "illogical" packets (f.e
NULL) that portscanners create cause dmesg to print this :
NAT: 0 dropping untracked packet c8d2a960 1 "source-IP" ->
"destination-IP" (what's with the c8d2a960 1 ?)
whereas other illogical packets (X-MAS, FIN, ACK) don't and I have to
block them myself with iptables. My guess is the kernel has some
protection built in but does anyone have a complete list of what stuff
the kernel takes care of and what not? Also, what if I wanna be alerted
if a NULL-scan is being conducted on my machine? I currently have cron
check for the above message in dmesg every minute but this message seems
to apply to other kinds of bad packets too so I cannot seem to exactly
identify a NULL-packet like I can a X-MAS-packet cause a NULL-packet
doesn't even reach the firewall-rules. Also the above message doesn't
appear in /var/log/messages, only in the kernelbuffer but dmesg doesn't
have an entry for the exact time it occurred. Is there a way to have
syslogd print the kernelstuff too including the time?
2. Has anyone made any experience with source-route-verification? My box
doesn't really seem to do that although I turned it on in
/proc/sys/net/ipv4/conf/all/rp_filter. The only time it does it is when
I try to spoof packets that go from my inside interface (192.168.0.0/24)
out which I guess is easy cause the kernel just looks at the ip-info I
assigned to the inside and blocks every packet trying to pretend to be
from somewhere else.
But if I sent obviously spoofed packets to my box from the outside like
10.0.0.0/8 etc I have to block them myself with iptables. I thought
source route verification checks every packet by doing a reverse lookup
according to some RFC which number I can't remember.
3. I logged my firewallrules extensively to learn about how the packets
traverse the chains and stuff and I made a surprising discovery. My
input chain checks every packet coming in for statefulnes and if its not
est/rel it'll be sent trough a bunch of sanity checks.
The only non-stateful stuff I then allow in is SSH so when I ssh'd in
and checked the log I learned that ONLY the very first packet (SYN) is
sent trough the sanity checks. All others are considered established.
THIS WORRIES ME !!
I thought the statefulness applies only to stuff that originated inside
and comes back like an http-response f.e.
Couldn't a hacker easily write a proggy similar to nmap which would
first sent a proper, totally legal SYN-packet and then bombard the box
with nasty crap which would totally be accepted by the firewall as
"established" ?
Please tell me I'm just paranoid !
Thanx for reading all this folks !
If anyone can enlighten me on this please do so !
ALEX
System-technician
Sony Computer Entertainment America
Foster City, CA 94404
I have 3 issues with netfilter and the 2.4 kernel (RH 7.1)
1. I was wondering if any of you know why some "illogical" packets (f.e
NULL) that portscanners create cause dmesg to print this :
NAT: 0 dropping untracked packet c8d2a960 1 "source-IP" ->
"destination-IP" (what's with the c8d2a960 1 ?)
whereas other illogical packets (X-MAS, FIN, ACK) don't and I have to
block them myself with iptables. My guess is the kernel has some
protection built in but does anyone have a complete list of what stuff
the kernel takes care of and what not? Also, what if I wanna be alerted
if a NULL-scan is being conducted on my machine? I currently have cron
check for the above message in dmesg every minute but this message seems
to apply to other kinds of bad packets too so I cannot seem to exactly
identify a NULL-packet like I can a X-MAS-packet cause a NULL-packet
doesn't even reach the firewall-rules. Also the above message doesn't
appear in /var/log/messages, only in the kernelbuffer but dmesg doesn't
have an entry for the exact time it occurred. Is there a way to have
syslogd print the kernelstuff too including the time?
2. Has anyone made any experience with source-route-verification? My box
doesn't really seem to do that although I turned it on in
/proc/sys/net/ipv4/conf/all/rp_filter. The only time it does it is when
I try to spoof packets that go from my inside interface (192.168.0.0/24)
out which I guess is easy cause the kernel just looks at the ip-info I
assigned to the inside and blocks every packet trying to pretend to be
from somewhere else.
But if I sent obviously spoofed packets to my box from the outside like
10.0.0.0/8 etc I have to block them myself with iptables. I thought
source route verification checks every packet by doing a reverse lookup
according to some RFC which number I can't remember.
3. I logged my firewallrules extensively to learn about how the packets
traverse the chains and stuff and I made a surprising discovery. My
input chain checks every packet coming in for statefulnes and if its not
est/rel it'll be sent trough a bunch of sanity checks.
The only non-stateful stuff I then allow in is SSH so when I ssh'd in
and checked the log I learned that ONLY the very first packet (SYN) is
sent trough the sanity checks. All others are considered established.
THIS WORRIES ME !!
I thought the statefulness applies only to stuff that originated inside
and comes back like an http-response f.e.
Couldn't a hacker easily write a proggy similar to nmap which would
first sent a proper, totally legal SYN-packet and then bombard the box
with nasty crap which would totally be accepted by the firewall as
"established" ?
Please tell me I'm just paranoid !
Thanx for reading all this folks !
If anyone can enlighten me on this please do so !
ALEX
System-technician
Sony Computer Entertainment America
Foster City, CA 94404