[ale] Firewall quickie
Transam
bob at verysecurelinux.com
Mon Jul 7 22:54:06 EDT 2003
On Mon, Jul 07, 2003 at 12:46:01PM -0400, Tom & JaVonn wrote:
> If I flush the firewall rules, and reload a new set, does that bother
> any existing connections?
It depends on your rule set, regardless of whether you're using
IP Chains or IP Tables. The "-F" to flush the rules will not destroy
knowledge about existing connections (being tracked via IP Masquerading
or Tables' non-IP Masquerading connection tracking).
However, you must ask yourself: after each ipchains or iptables command is
invoked, what will your rule set do if a packet comes in? Depending on
the ordering of rules, what is dropped vs. rejected, etc., an existing
connection where a packet comes in during the few seconds that the new
rule set is being generated could be lost. (Each ipchains or iptables
command invocation may be considered an atomic operation happening in
instantaneously for the purposes of this analysis.) This includes
"keep alive" packets.
Quiescent connections should survive.
More importantly, many SysAdmins' rule sets are defective in that there
are race conditions while rules are being added after a flush that
unintentionally will in packets that would NOT be let in once the rule
set has been completely added (after the flush). Such a rule set has
a security bug.
> Normally, I do this after everyone's gone home, but am training an
> employee to make changes.
> Thanks!
> Tom
Bob Toxen
bob at verysecurelinux.com [Please use for email to me]
http://www.verysecurelinux.com [Network&Linux/Unix security consulting]
http://www.realworldlinuxsecurity.com [My book:"Real World Linux Security 2/e"]
Quality Linux & UNIX security and SysAdmin & software consulting since 1990.
"Microsoft: Unsafe at any clock speed!"
-- Bob Toxen 10/03/2002
_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale
More information about the Ale
mailing list