Mailing List Archive

> I wanted to ask if there is a way to leave a port open with iptables, for
> example port 113,and close the connection properly with ack/fin, etc.. after
> the connection handshake is made? I don't want to rudely use RST.

Have a user level process which does nothing but accept/close, and use
REDIRECT to get the connections to that user level process.

> It would be more polite to close the door
> instead of shutting it in someones face.

Bad analogy. DROP presents no door at all. REJECT presents a closed door.
Your proposal opens the door, lets the person in one step, then shoves
the person out again without saying a word. This is still a bad analogy,
but it comes closer, I think.

Apart from that, you now increased the complexity of the "go away" case,
opening yourself wider against denial of service attacks of the resource
capturing nature. Think hard about that.

regards
Patrick

----- Original Message -----
From: Patrick Schaaf <bof@bof.de>
To: Pol Muaddib <muaddib@mailandnews.com>
Cc: <netfilter@lists.samba.org>
Sent: Sunday, August 05, 2001 9:17 AM
Subject: Re: gracefull rst.


> > I wanted to ask if there is a way to leave a port open with iptables,
for
> > example port 113,and close the connection properly with ack/fin, etc..
after
> > the connection handshake is made? I don't want to rudely use RST.
>
> Have a user level process which does nothing but accept/close, and use
> REDIRECT to get the connections to that user level process.
>
> > It would be more polite to close the door
> > instead of shutting it in someones face.
>
> Bad analogy. DROP presents no door at all. REJECT presents a closed door.
> Your proposal opens the door, lets the person in one step, then shoves
> the person out again without saying a word. This is still a bad analogy,
> but it comes closer, I think.
>
> Apart from that, you now increased the complexity of the "go away" case,
> opening yourself wider against denial of service attacks of the resource
> capturing nature. Think hard about that.

I agree: opening a connection and closing it is an hard work:sending the fin
and waiting
for the acks will suck much unswappable kernel memory, which could be used
for real
incoming connections or other things.
Moreover you'll get no benefits:sending a RST will tear down the
establishing connection,
without harm the sender host!
In fact rfc says that an unwanted connection should be rejected using a RST,
not accepting and closing it (ie when noone is listening at that port).

Radel

> My line of thinking was, if there was any module developed for iptables that
> can be programmed to return a short message when opening a port (say 113).
> for example, open port 113 -> "go away" -> close.

My proposal using REDIRECT and a normal user level process, would do that.

The alternative is to hack a nearly-something-like-tcp-but-smaller thing,
e.g. as an iptables target extension. This is certainly doable. While you
implement it, you will feel the irresistable draft of this nice TCP code,
sitting just one directory above the netfilter code in the kernel sources.
Is it worth the hassle reimplementing a short-lived small-data TCP
implementation inside an iptables target? With proper semantics, perhaps?
You will certainly learn a lot on that project. :)

Please, don't get me wrong. Your idea may be suitable for lots of
applications. What I'm objecting to is your idea that there is
something missing in iptables, when REDIRECT and a user level process
can do what you want.

regards
Patrick

You are right, maybe it was a bad analogy. i personally use -j
REJECT --reject-with tcp-reset .
In regard for a software with redirect, I Don't want a software and i don't
need to redirect a simple program i could make in perl. In regard to the
ddos attacks, if a 13 year old script kiddie wants he could attack my server
using a udp packet storm, from a few sub7server infected cable modems, and
thats that. No firewall is gonna stop it. If you think otherwise, just ask
steve gibson http://grc.com/dos/grcdos.htm
Anyway, i was asking this question for legitimate reasons (i think).
First, i want to appologize if i misled you.
My line of thinking was, if there was any module developed for iptables that
can be programmed to return a short message when opening a port (say 113).
for example, open port 113 -> "go away" -> close.
it is true that it could saturate the cpu, but so does other services. it is
just more straightforward and secure to put it as feature on the firewall.
besides, you could always do connection limit to stop the saturation.
iptables ip contracking and packet fragments reassembling is indeed a needed
feature, but iptables is vulnerable to cpu saturation because of it, so a
legit port with a short message is not a real problem :).

* - * - *
Tzahi Fadida
Tzahi@mailandnews.com
Fax (+1 Outside the US) 240-597-3213
* - * - * - * - * - *


-----Original Message-----
From: netfilter-admin@lists.samba.org
[mailto:netfilter-admin@lists.samba.org]On Behalf Of Radel
Sent: Sunday, August 05, 2001 9:44 AM
To: Patrick Schaaf; Pol Muaddib
Cc: netfilter@lists.samba.org
Subject: Re: gracefull rst.



----- Original Message -----
From: Patrick Schaaf <bof@bof.de>
To: Pol Muaddib <muaddib@mailandnews.com>
Cc: <netfilter@lists.samba.org>
Sent: Sunday, August 05, 2001 9:17 AM
Subject: Re: gracefull rst.


> > I wanted to ask if there is a way to leave a port open with iptables,
for
> > example port 113,and close the connection properly with ack/fin, etc..
after
> > the connection handshake is made? I don't want to rudely use RST.
>
> Have a user level process which does nothing but accept/close, and use
> REDIRECT to get the connections to that user level process.
>
> > It would be more polite to close the door
> > instead of shutting it in someones face.
>
> Bad analogy. DROP presents no door at all. REJECT presents a closed door.
> Your proposal opens the door, lets the person in one step, then shoves
> the person out again without saying a word. This is still a bad analogy,
> but it comes closer, I think.
>
> Apart from that, you now increased the complexity of the "go away" case,
> opening yourself wider against denial of service attacks of the resource
> capturing nature. Think hard about that.

I agree: opening a connection and closing it is an hard work:sending the fin
and waiting
for the acks will suck much unswappable kernel memory, which could be used
for real
incoming connections or other things.
Moreover you'll get no benefits:sending a RST will tear down the
establishing connection,
without harm the sender host!
In fact rfc says that an unwanted connection should be rejected using a RST,
not accepting and closing it (ie when noone is listening at that port).

Radel

Hi Nigel,
I will describe it again, if you misunderstood me.
port 113 which is the ident service, is used by many servers to log some
info about you and then let you in.
If your port drops these packets, the server will timeout, and the
connection(for example 6667 or 21) will drop as a result. If you however use
RST, some servers will let you in but proclaim it did not find ident, but
others will just drop the connection saying "come back with your id or get
lost". I propose, why not put something like a finger message to a
designated port like the above 113 and have a programmable ident, and
numerable other services that could enjoy these features. but that's just
me, you don't have to agree to that.
Anyway, in regards to your claim that packets could still be sent back, i
say(and you are free to correct me), so what. this port was meant to be
opened, and i don't care it will send me even fragmented packets, since this
is what so great about iptables, it reassembels packets on the fly. iptables
will not let it play you for a fool like the old ftp PORT attack.
In regard to DDOS, this all talk about closing some ports or anything like
that is futile. It's all short term anyway. with the release of windowsXP
all hell is gonna break loose on the internet. XP has it's 'unix socket'
fully implemented like in unix and windows 2000. imagine what it would be
like when infected sub7 machines will spoof their address when attacking and
also be able to perform syn attacks which they WEREN'T able to do in
win95,98,whatever garbage windows releases without taking any liability for
the damages. Personally i LIKE microsoft since they make me a lot of work :)
security and stuff. KEEP UP THE GOOD WORK :)

Damn, i talk too much about a trivial seamingly dumb question and suggestion
that could be solved with a simple perl script :).

* - * - *
Tzahi Fadida
Tzahi@mailandnews.com
Fax (+1 Outside the US) 240-597-3213
* - * - * - * - * - *


-----Original Message-----
From: netfilter-admin@lists.samba.org
[mailto:netfilter-admin@lists.samba.org]On Behalf Of Nigel Morse
Sent: Monday, August 06, 2001 12:12 PM
To: muaddib@mailandnews.com; Radel; netfilter@lists.samba.org
Subject: Re: gracefull rst.


> My line of thinking was, if there was any module developed for iptables
that
> can be programmed to return a short message when opening a port (say 113).
> for example, open port 113 -> "go away" -> close.

But RST is the go away message isn't it? If you don't want connections to
that port then don't allow them.. why let them get as far as opening it -
( i.e. why do you want to do this?)
Also as I said before - whilst you can close the conection of data flow from
your computer to the remote machine, they CAN still send data and you can
still recieve it. This is at least my understanding.

Cheers
Nigel

Here you are, but remember:without any warranty, ecc....

in /etc/inetd.conf

ident stream tcp wait identd /usr/sbin/tcpd /usr/sbin/identd identd

and in your /etc/hosts.deny

identd:ALL:twist (/bin/echo "Go away")

You have to verify paths and other little things,but it will work great.

Regards. Radel


Pol Muaddib wrote:

> Hi Nigel,
> I will describe it again, if you misunderstood me.
> port 113 which is the ident service, is used by many servers to log some
> info about you and then let you in.
> If your port drops these packets, the server will timeout, and the
> connection(for example 6667 or 21) will drop as a result. If you however use
> RST, some servers will let you in but proclaim it did not find ident, but
> others will just drop the connection saying "come back with your id or get
> lost". I propose, why not put something like a finger message to a
> designated port like the above 113 and have a programmable ident, and
> numerable other services that could enjoy these features. but that's just
> me, you don't have to agree to that.
> Anyway, in regards to your claim that packets could still be sent back, i
> say(and you are free to correct me), so what. this port was meant to be
> opened, and i don't care it will send me even fragmented packets, since this
> is what so great about iptables, it reassembels packets on the fly. iptables
> will not let it play you for a fool like the old ftp PORT attack.
> In regard to DDOS, this all talk about closing some ports or anything like
> that is futile. It's all short term anyway. with the release of windowsXP
> all hell is gonna break loose on the internet. XP has it's 'unix socket'
> fully implemented like in unix and windows 2000. imagine what it would be
> like when infected sub7 machines will spoof their address when attacking and
> also be able to perform syn attacks which they WEREN'T able to do in
> win95,98,whatever garbage windows releases without taking any liability for
> the damages. Personally i LIKE microsoft since they make me a lot of work :)
> security and stuff. KEEP UP THE GOOD WORK :)
>
> Damn, i talk too much about a trivial seamingly dumb question and suggestion
> that could be solved with a simple perl script :).
>
> * - * - *
> Tzahi Fadida
> Tzahi@mailandnews.com
> Fax (+1 Outside the US) 240-597-3213
> * - * - * - * - * - *
>
>
> -----Original Message-----
> From: netfilter-admin@lists.samba.org
> [mailto:netfilter-admin@lists.samba.org]On Behalf Of Nigel Morse
> Sent: Monday, August 06, 2001 12:12 PM
> To: muaddib@mailandnews.com; Radel; netfilter@lists.samba.org
> Subject: Re: gracefull rst.
>
>
>> My line of thinking was, if there was any module developed for iptables
>
> that
>
>> can be programmed to return a short message when opening a port (say 113).
>> for example, open port 113 -> "go away" -> close.
>
>
> But RST is the go away message isn't it? If you don't want connections to
> that port then don't allow them.. why let them get as far as opening it -
> ( i.e. why do you want to do this?)
> Also as I said before - whilst you can close the conection of data flow from
> your computer to the remote machine, they CAN still send data and you can
> still recieve it. This is at least my understanding.
>
> Cheers
> Nigel
>
>
>

On Sun, Aug 05, 2001 at 03:01:41PM +0200, Radel wrote:
> Here you are, but remember:without any warranty, ecc....
>
> in /etc/inetd.conf
>
> ident stream tcp wait identd /usr/sbin/tcpd /usr/sbin/identd identd
>
> and in your /etc/hosts.deny
>
> identd:ALL:twist (/bin/echo "Go away")
>
> You have to verify paths and other little things,but it will work great.

Great solution. The usual inetd ratelimiting should keep the box somewhat
useable, when under attack.

regards
Patrick

yeah, it's a nice solution for identd, let's leave it at that :)

10x.

* - * - *
Tzahi Fadida
Tzahi@mailandnews.com
Fax (+1 Outside the US) 240-597-3213
* - * - * - * - * - *


-----Original Message-----
From: Radel [mailto:netfilter@radel.yi.org]
Sent: Sunday, August 05, 2001 3:02 PM
To: muaddib@mailandnews.com; netfilter@lists.samba.org
Subject: Re: gracefull rst.


Here you are, but remember:without any warranty, ecc....

in /etc/inetd.conf

ident stream tcp wait identd /usr/sbin/tcpd /usr/sbin/identd identd

and in your /etc/hosts.deny

identd:ALL:twist (/bin/echo "Go away")

You have to verify paths and other little things,but it will work great.

Regards. Radel


Pol Muaddib wrote:

Hi Nigel,I will describe it again, if you misunderstood me.port 113 which is
the ident service, is used by many servers to log someinfo about you and
then let you in.If your port drops these packets, the server will timeout,
and theconnection(for example 6667 or 21) will drop as a result. If you
however useRST, some servers will let you in but proclaim it did not find
ident, butothers will just drop the connection saying "come back with your
id or getlost". I propose, why not put something like a finger message to
adesignated port like the above 113 and have a programmable ident,
andnumerable other services that could enjoy these features. but that's
justme, you don't have to agree to that.Anyway, in regards to your claim
that packets could still be sent back, isay(and you are free to correct me),
so what. this port was meant to beopened, and i don't care it will send me
even fragmented packets, since thisis what so great about iptables, it
reassembels packets on the fly. iptableswill not let it play you for a fool
like the old ftp PORT attack.In regard to DDOS, this all talk about closing
some ports or anything likethat is futile. It's all short term anyway. with
the release of windowsXPall hell is gonna break loose on the internet. XP
has it's 'unix socket'fully implemented like in unix and windows 2000.
imagine what it would belike when infected sub7 machines will spoof their
address when attacking andalso be able to perform syn attacks which they
WEREN'T able to do inwin95,98,whatever garbage windows releases without
taking any liability forthe damages. Personally i LIKE microsoft since they
make me a lot of work :)security and stuff. KEEP UP THE GOOD WORK :)Damn, i
talk too much about a trivial seamingly dumb question and suggestionthat
could be solved with a simple perl script :).* - * - *Tzahi
FadidaTzahi@mailandnews.comFax (+1 Outside the US) 240-597-3213* - * - * -
* - * - *-----Original Message-----From:
netfilter-admin@lists.samba.org[mailto:netfilter-admin@lists.samba.org]On
Behalf Of Nigel MorseSent: Monday, August 06, 2001 12:12 PMTo:
muaddib@mailandnews.com; Radel; netfilter@lists.samba.orgSubject: Re:
gracefull rst.
My line of thinking was, if there was any module developed for iptables
that
can be programmed to return a short message when opening a port (say
113).for example, open port 113 -> "go away" -> close.
But RST is the go away message isn't it? If you don't want connections
tothat port then don't allow them.. why let them get as far as opening
it -( i.e. why do you want to do this?)Also as I said before - whilst you
can close the conection of data flow fromyour computer to the remote
machine, they CAN still send data and you canstill recieve it. This is at
least my understanding.CheersNigel

> I wanted to ask if there is a way to leave a port open with iptables, for
> example port 113,and close the connection properly with ack/fin, etc..
after
> the connection handshake is made?
> I don't want to rudely use RST. It would be more polite to close the door
> instead of shutting it in someones face.

Well if i remember TCP correctly, even if you could so this it would only
close the connection of data from yours to the other machine - data could
still flow the other way until the other machine also closes the connection
(Again I'm going back to my uni networks course but i think TCP is actually
2 connections in disguise - one each way)

Anyways I don't think TCP stacks have emotions that can be hurt by a firm
door slam and where security is concerned I'd rather slam it then push is
gently shut and give them time to put their foot in it (maybe I'm taking the
analogy too far here ;) )

Cheers
Nigel

> My line of thinking was, if there was any module developed for iptables
that
> can be programmed to return a short message when opening a port (say 113).
> for example, open port 113 -> "go away" -> close.

But RST is the go away message isn't it? If you don't want connections to
that port then don't allow them.. why let them get as far as opening it -
( i.e. why do you want to do this?)
Also as I said before - whilst you can close the conection of data flow from
your computer to the remote machine, they CAN still send data and you can
still recieve it. This is at least my understanding.

Cheers
Nigel