On 2014-04-23 02:42, Anton Aylward wrote:
On 04/22/2014 07:36 PM, John Andersen wrote:
Patrick's assumption that a *pre-existing* connection should be stopped by a new firewall rule is simply not the case today, but it is a common misconception. So much so that it is FAQ Question 4B in the Shorewall Firewall guide. http://shorewall.net/3.0/FAQ.htm#faq4b
Indeed. As you point out, that is the way iptables has been set up to work. I'm not saying that is not how things work; I'm just saying that, rightly or wrongly, there is a potential security risk.
Patrick's strategy of disconnecting the router was one very effective way of mitigating that risk.
Could iptables be set up so that a firewall will tear down an existing connection that violates its rules? I have no doubt it could.
I doubt it could :-) For instance, some connections, like ftp and nfs, in different manners, need a port negotiation, and authorize that random port dynamically for the service to establish. When the firewall starts and there is already an ftp or nfs connection it can not know which are the authorized extra ports, because while it was off, it could not track connections. In that scenario, established and allowed nfs connections would be teared down on firewall start. However, I have seen a configuration somewhere that tearing down the firewall also tears down the network. All existing connections, good or bad, are broken. Means no remote maintenance, of course. More sensible is not allowing any new connection while the firewall is been restarted. I think that SuSEfirewall can do this, but I don't remember how (does it do it by default?). Done this way, unplugging the router is not necessary - but peace of mind is a good thing ;-) -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)