Mailinglist Archive: opensuse-security (520 mails)
| < Previous | Next > |
RE: [suse-security] Problem with PSH flag?
- From: "Reckhard, Tobias" <tobias.reckhard@xxxxxxxxxxx>
- Date: Wed, 17 Jul 2002 12:58:28 +0200
- Message-id: <96C102324EF9D411A49500306E06C8D10182D9EC@xxxxxxxxxxxxxxxxx>
> It seems to me the PSH flag makes iptables drop the packet. But should
>
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> not take care of all response packets?
>
> Amazingly, all connections seem to work well. But I'd like to have a
> completely proper packet filter. So, could anyone here wave the clue
> stick in my general direction?
The PSH bit definitely doesn't cause netfilter to drop packets unless you
tell it to. In fact, were that the case, you couldn't use it to firewall
Winblows machines, since the MS stack sets the PSH stack on (just about) all
TCP segments by default, apparently. It could very well be that Linux
exhibits the same behaviour.
If that's your rule 12 up there (or rather, a mimic of rule 12 with an
ACCEPT instead of a LOG target), then it could be that the session has been
dropped from the connection table, i.e. conntrack has seen the FIN/ACK
handshake or perhaps enough of it to purge the corresponding table entry,
and that the remote host has then sent another packet. You'd need a (more or
less) full session dump to verify that.
Cya
Tobias
>
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> not take care of all response packets?
>
> Amazingly, all connections seem to work well. But I'd like to have a
> completely proper packet filter. So, could anyone here wave the clue
> stick in my general direction?
The PSH bit definitely doesn't cause netfilter to drop packets unless you
tell it to. In fact, were that the case, you couldn't use it to firewall
Winblows machines, since the MS stack sets the PSH stack on (just about) all
TCP segments by default, apparently. It could very well be that Linux
exhibits the same behaviour.
If that's your rule 12 up there (or rather, a mimic of rule 12 with an
ACCEPT instead of a LOG target), then it could be that the session has been
dropped from the connection table, i.e. conntrack has seen the FIN/ACK
handshake or perhaps enough of it to purge the corresponding table entry,
and that the remote host has then sent another packet. You'd need a (more or
less) full session dump to verify that.
Cya
Tobias
| < Previous | Next > |