General Discussion Is Astaro affacted by flaw in IPTables and FTP

UTM Firewall requires membership for participation - click to join

Thread Info

State Not Answered
Locked Locked
Replies 1 reply
Subscribers 3 subscribers
Views 956 views
Users 0 members are here

Options

Suggested

This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Is Astaro affacted by flaw in IPTables and FTP

HenrikP over 24 years ago

Hi..

Is Astaro affacted by the recently discovered bug in IPTables using FTP port ?

Security Focus advisory at : http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26mid%3D177070

/Henrik
Denmark

This thread was automatically locked due to age.

0 Markus Hennig over 24 years ago

Hi HenrikP,

Astaro Security Linux is affected only in a very limited range of cases (timediff between spoof attack and MiddleWare run), because we don't trust the iptables connection tracking.

There is a extra chain (FIX_CONNTRACK (3 references)) which is called by INPUT, FORWARD and OUTPUT. FIX_CONNTRACK will be created by our MiddleWare and drops all connections from the iptables connection tracking table which have no corresponding rule in TTT_ACCEPT or USR_FORWARD.
So you can't spoof the connection tracking table, because there will be generated a extra drop rule (matched before the state related, established). This drop rule is active while the the connection tracking tables entry isn't timed out.
Cancel
Vote Up 0 Vote Down

Cancel