lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Mon, 19 Sep 2022 22:23:10 +0200
From:   Florian Westphal <fw@...len.de>
To:     Jakub Kicinski <kuba@...nel.org>
Cc:     Pablo Neira Ayuso <pablo@...filter.org>,
        Chris Clayton <chris2553@...glemail.com>,
        Florian Westphal <fw@...len.de>,
        "netdev@...r.kernel.org" <netdev@...r.kernel.org>,
        regressions@...ts.linux.dev, netfilter-devel@...r.kernel.org,
        coreteam@...filter.org
Subject: Re: removing conntrack helper toggle to enable auto-assignment [was
 Re: b118509076b3 (probably) breaks my firewall]

Jakub Kicinski <kuba@...nel.org> wrote:
> On Sat, 10 Sep 2022 04:02:18 +0200 Pablo Neira Ayuso wrote:
> > > > I'll update netfilter.org to host a copy of the github sources.
> > > > 
> > > > We have been announcing this going deprecated for 10 years...  
> > > 
> > > That may be the case, it should be broken before -rc1 is released. Breaking it at -rc4+ is, I think, a regression!
> > > Adding Thorsten Leemuis to cc list  
> > 
> > Disagreed, reverting and waiting for one more release cycle will just
> > postpone the fact that users must adapt their policies, and that they
> > rely on a configuration which is not secure.
> 
> What are the chances the firewall actually needs the functionality?

Unknown, there is no way to tell.

In old times, it was enough (not tested, just for illustration):

iptables -A FORWARD -p tcp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

and load nf_conntrack_ftp (or whatever).  Module will auto-snoop traffic
on tcp port 21 for ftp commands, if it finds some, it auto-installs dynamic
'expectation entries', so when data connection comes it will hit RELATED rule
above.

This stopped working years ago, unless you did set the (now removed)
knob back to 1.

Assuming iptables, users would need to do something like
iptables -t raw -A PREROUTING -p tcp --dport 21 -d $ftpaddr -j CT --helper "ftp"

to tell that packets/connections on tcp:21 need to be examined for ftp commands.

> Perhaps we can add the file back but have it do nothing?

I think its even worse, users would think that auto-assign is enabled.

Powered by blists - more mailing lists