On 04/22/2014 05:15 PM, John Andersen wrote:
On 4/22/2014 1:41 PM, Anton Aylward wrote:
On 04/22/2014 12:31 PM, Patrick Shanahan wrote:
What I do not understand is how stopping the firewall and then restarting it does not destroy the connection as it apparently thought it was originally supposed to do.
That bothers me as a well There could be a security hole sitting there.
Firewalls usually do not disrupt pre-existing connections/sockets.
Removing the firewall, simply allows the source and destination to continue unhindered. Reestablishing the firewall, and that same stream is allowed because it meets the rules.
That seems reasonable, but its not what is implied here. Do we agree that if the rules do not permit it, then a connection that was set up before the firewall started should be torn down when the firewall starts? Do we agree that if it is permitted to stay up then THAT is a security violation? Good. Now what Patrick had was a situation where the firewall was up and the connection could not be established. The firewall goes down and he can establish the connection. To me, that implies the firewall was blocking the connection. Why should it do that unless there is a rule to that effect? And if there is a rule to that effect then it comes into action when the firewall is brought up and should tear down any connection that violates the rule. The connection could not be established while the firewall was up? Why? Because it violated some rule. I agree with you when you say:
Re-establishing the firewall, and that same stream is allowed because it meets the rules.
My point is that if it meets the rule then there would have been no problem setting it up while the firewall was active. Now I don't have access to to Patrick's logs, so maybe something else is going on, but one interpretation of what *has* been reported is that the firewall allows established connections to continue though they don't meet the rules. If that is the case then there is a security problem. I agree with you, John, about what firewalls OUGHT to do. I am concerned about the evidence as to what this firewall *IS* doing.
A simple firewall is distinct from a router.
But even most iptables based router implementations would allow established connections to continue.
So, you are saying that they would allow established connections to continue EVEN IF THEY ARE IN VIOLATION OF THE RULES? Is that the way iptables works? -- The master worries about the work, and the apprentice worries about the tools. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org