#37 Protection Rule

closed
nobody
None
5
2007-08-20
2007-08-12
fireholuser
No

Hi,

I see that protection rules are applied in such a way that INVALID packets are dropped even before them being identified as bad-packets (xmas, NULL,etc).

Shouldn't the bad-packets being tracked before?

Therefore, INVALID chain should appear at the bottom.

i.e. after "fragments new-tcp-w/o-syn icmp-floods syn-floods malformed-xmas malformed-null malformed-bad"

Please correct me if I'm wrong?

With the current default firehol settings, I see no hits on chains for malformed-* packets.

Thanks in advance.

fiu.

Discussion

  • Costa Tsaousis

    Costa Tsaousis - 2007-08-20
    • status: open --> closed
     
  • Costa Tsaousis

    Costa Tsaousis - 2007-08-20

    Logged In: YES
    user_id=582393
    Originator: NO

    ou may be right.
    From the iptables man page:

    Possible states are INVALID meaning that the packet could not be identified
    for some reason which includes running out of memory and ICMP errors which don't
    correspond to any known connection...

    If the connection tracker marks as INVALID all those matched by the firehol
    protections, then the protections are meaningless and should not exist in a
    tool like firehol.
    Anyway, I have moved the invalid match last in the list of protections
    (in v1.262).