On 4/22/2014 2:28 PM, Anton Aylward wrote:
That seems reasonable, but its not what is implied here.
Do we agree that if the rules do not permit it, then a connection that was set up before the firewall started should be torn down when the firewall starts? Do we agree that if it is permitted to stay up then THAT is a security violation?
The security violation you postulate was letting a connection happen BEFORE you launched your firewall. In the several implementations of netfilter firewalls that I have used, they are only aware of allowing/denying the creation of new connections, and do not *typically* mess with pre-existing open connection/sockets. I think there are ways to force netfilter to close all open open connections but this could be more than a little disruptive. (lots of internal connections exist through netfilter too). So while I think you COULD force pre-existing to be torn down, I haven't spent enough time thinking of all the ramifications of that yet to fully agree that they SHOULD. In any event, I don't think that is how most such firewalls work. SO:.... When you turn the firewall off, everything reverts to the state where IF there is something LISTENING on that port, then that port is "Open" and it can accept connections. If you intend to accept many connections, the first thing your listening daemon does after a connection is get the hell off of the listening port. You do this via ACCEPT. See: man 2 accept You issue an ACCEPT and that gives you a new socket (file descriptor in *nix), which is *no longer in the listening state*, (its in the connected state). Netfilter Firewalls usually watch ports and trap the connection attempts. Most don't watch every packet on established connections. Too much Overhead. So when Patrick tears down a firewall, makes a connection, then brings up the firewall it typically does not know about pre-existing connections, they are by design, in a separate address space This is why you start your firewall to tell iptables to configure netfilter before you start your listening daemons, so that the script kiddie hammering a port can't get accepted by a daemon that started before netfilter. Not knowing about pre-existing connections is a good thing in most cases. You can ssh into a remote server, dick around with the firewall settings and stop/restart it without worrying about killing your own ssh connection, and potentially leaving your remote machine in a broken and vulnerable state. That original connection will persist. -- _____________________________________ ---This space for rent--- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org