[ale] Inexpensive broadband recommendations

Mike Millson mgm at atsga.com
Thu Feb 20 18:16:13 EST 2003


On Thu, 2003-02-20 at 16:27, Jonathan Rickman wrote:
> On Thu, 20 Feb 2003, rhiannen wrote:
> 
> > The "it worked fine yesterday" line is the most common line any support hears,
> > usually followed much, much later by the discovery that new software was loaded,
> > "but it loaded fine and everything worked, I just can't get to the web or my
> > email Now."  On win machines, it is an Extremely common occurrence to have
> > software load "improvements" which hose the fragile win networking stack.
> 
> I'm not a Windows apologist by any means, but I feel I should point out
> that Windows (among others, many others) pretty much utilizes a clone of
> the BSD TCP stack that I'm sure Bob had some involvement in. This
> is not an Internet myth (urban legend) according to my sources. The
> Windows, specifically the NT based kernels, TCP stack is anything but
> fragile. 

I have a ton of error messages in /var/log/messages that make me thing
otherwise and agree w/ the guy that wrote the iptables tutorial.

Take a look at this:
http://iptables-tutorial.frozentux.net/iptables-tutorial.html

Do a find on "bad Microsoft TCP/IP implementations", and you'll see the
following under section B.2:

"There is a certain feature in iptables that is not so well documented
and may therefore be overlooked by a lot of people (yes, including me).
If you use state NEW, packets with the SYN bit unset will get through
your firewall. This feature is there because in certain cases we want to
consider that a packet may be part of an already ESTABLISHED connection
on, for instance, another firewall. This feature makes it possible to
have two or more firewalls, and for one of the firewalls to go down
without any loss of data. The firewalling of the subnet could then be
taken over by our secondary firewall. This does however lead to the fact
that state NEW will allow pretty much any kind of TCP connection,
regardless if this is the initial 3-way handshake or not. To take care
of this problem we add the following rules to our firewalls INPUT,
OUTPUT and FORWARD chain: 

$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j LOG \
     --log-prefix "New not syn:"
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
    

              Caution
The above rules will take care of
this problem. This is a badly
documented behavior of the
Netfilter/iptables project and
should definitely be more
highlighted. In other words, a huge
warning is in its place for this
kind of behavior on your firewall. 


Note that there are some troubles with the above rules and bad Microsoft
TCP/IP implementations. The above rules will lead to certain conditions
where packets generated by Microsoft products gets labeled as state NEW
and hence get logged and dropped. It will however not lead to broken
connections to my knowledge. The problem occurs when a connection gets
closed, the final FIN/ACK is sent, the state machine of Netfilter closes
the connection and it is no longer in the conntrack table. At this point
the faulty Microsoft implementation sends another packet which is
considered as state NEW but lacks the SYN bit and hence gets matched by
the above rules. In other words, don't worry to much about this rule, or
if you are worried anyways, set the --log-headers option to the rule and
log the headers too and you'll get a better look at what the packet
looks like."

> It's pretty tough to break the TCP/IP implementation with a
> simple software install. All things are possible, when an installer
> package is not put together properly...or gets "out of it's sandbox".
> However, the same applies to 75% of the *nix stuff on freshmeat, as many
> newer Linux users will simply install everything as root without testing
> it first. Linux on the desktop is being touted everywhere, and make no
> mistake, it is coming. Fasten your seatbelts folks, 'cause all those
> "winders" users are on their way to "sudo land" and it's gonna be a bumpy
> ride. I suggest you get Slack now and save yourself the trouble of
> switching later when RH, SuSE, and company complete their dumbing down of
> Linux for Joe Sixpack. Call me elitist if you want, but I spent the better
> part of the day using Mac OS X and I feel that even it's too "dumbed down"
> to suit my taste...although it is pretty sweet.
> 
> I am a Linux enthusiast. I like text config files and shell scripts. I
> made a 2 foot stack of floppies last night and installed Slackware the old
> fashioned way...because I like it. I read my mail with Pine and feel
> guilty for not using mailx. I think vi is the greatest. Text www browsers
> rock, and I don't need no stinking passport. I fully understand that not
> everyone shares my feelings, but I refuse to change. I am a Slackware
> user, and you can see my strength.
> 
> Laugh now.
> 
> --
> Jonathan Rickman
> X Corps Security
> http://www.xcorps.net
> 
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale
> 

_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale






More information about the Ale mailing list