Closed ypid closed 9 years ago
ypid
commented
9 years ago This would ensure that lpfw works even when someone who is testing it had a firewall script run previously.
does this allow existing connections at the time when lpfw starts?
I don’t see a reason why it should not. Also, I just tested it and it does not disconnect my SSH session :smile:.
themighty1
commented
9 years ago OK, I understood the resons. I will not merge this because the same can be accomplished with a script.
ypid
commented
9 years ago Fair enough. What about extending this PR to default policy of REJECT or DROP. lpfw currently accepts invalid packages because of the default policy.
themighty1
commented
9 years ago sry, I dont understand what you mean, can you be more specific?
ypid
commented
9 years ago Sure. As described in iptables-extensions(8) the state module allows the states INVALID, ESTABLISHED, NEW, RELATED or UNTRACKED but only NEW is currently handled thus also allowing invalid.
themighty1
commented
9 years ago Thanks. Have a look here https://github.com/themighty1/lpfw/blob/master/conntrack.c#L104 We flush all connection states when lpfw starts.
ypid
commented
9 years ago Thanks for the ref. So when INVALID would be dropped, all previous connections would be dropped?
themighty1
commented
9 years ago In the scenarion where you have an existing valid connection and a rogue packet arrives which is marked INVALID? I guess only that rogue packet is dropped not the valid connection. (having read this https://unix.stackexchange.com/questions/57423/how-to-understand-why-the-packet-was-considered-invalid-by-the-iptables)
It is also important to remember that lpfw's iptables rules only pass a verdict on packets with state NEW. All other packets are allowed to pass. Because lpfw flushes conntrack, every first packet from then on will be marked NEW and allowed/denied by lpfw. As soon as the packet is ESTABLISHED or even INVALID, lpfw has no business in passing a verdict allow/deny on it, it will allow it to pass.
ypid
commented
9 years ago Right but as far as I understand the connection tracking in Linux it will only consider a connection (packet) as new when it is a TCP syn for example. When flushing conntrack it does not know about the previous connection anymore and will classify it as invalid. From that perspective it is probably OK to allow invalid by default. Edit: As said in the stackexchange post
does this allow existing connections at the time when lpfw starts? What is the rationale exactly? lpfw is supposed to start early with the system when there's no network activity yet.