stateful?

**elovkoff** · 11-15-2001, 03:38 PM

I'm playing around with ipchains on the rh7.2 machine.
I want to restrict all incoming traffic to my machine - I go to the Options tab and make default policies the following way:
Input: deny
forward: deny
output; accept

With this configuration I cannot browse internet from that machine. But when I change input to accept I can browse it.
IMHO you can hardly call it stateful - stateful is when firewalls remembers conection originated from LAN (provided it is allowed) and then allows this connection to 'return' back without creating a special rule.

**Feztaa** · 11-15-2001, 06:42 PM

You're right, ipchains is, afaik, not stateful.

However, the problem with your ruleset is that you don't even have it configured for statefulness even if it could - you're blocking all incoming packets no matter what happens. That means when you connect to a website, and the server sends you the web page you requested, your firewall drops it. Get my drift?

What you want to do is get iptables, which certainly is stateful, and set up a rule like this:

Code:

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT

That will do what you are looking for.

**elovkoff** · 11-16-2001, 11:52 AM

Well I was using GUI to add a rule and didn't fine any option there to make it statefull.Is it somehow different to work with gui interface and to write rules manually?

**Feztaa** · 11-16-2001, 02:10 PM

Yes, usually GUI tools cripple the functionality to make it easier to use.

As far as I know, ipchains is not stateful to begin with, so you'll have to upgrade to iptables. Then use those commands at the commandline, and it will be exactly what you want.

**elovkoff** · 11-16-2001, 03:43 PM

Good, thx.

**Feztaa** · 11-16-2001, 05:01 PM

No problem

**kenshi** · 11-22-2001, 10:47 PM

Ipchains does have some statefulness to it. If you want to block all incoming connections but allow all input from preexisting connections, just set the default to ACCEPT and do this line:

ipchains -A input -p tcp --syn -j REJECT

Or maybe the last word is DROP, I can't remember. You have a gui though so you'll have to figure out where all this stuff is.

**njcajun** · 12-17-2001, 10:40 PM

Just to clarify, ipchains does NOT have any statefulness 'in it'. It wasn't designed to be stateful. The fact that ipchains isn't stateful was a major impetus to the development of iptables. You can sorta *fake* statefulness by doing that default ACCEPT and the line above (by the way, REJECT *or* drop will work, but that really is a bad idea for a couple of reasons:

1. It doesn't allow for everything, it only specifies 'syn' stuff (what about special flags?) and only for the tcp protocol - which won't work for things like streaming media that use UDP.

2. Any time you set a default policy of ACCEPT, you're asking for trouble. It's pretty easy to go 'rule harvesting' on a firewall, create a packet that doesn't match, and BANG! With a default of ACCEPT, anything that doesn't match a DENY, DROP or REJECT rule is let in! With a default DENY rule, anything that isn't EXPLICITLY ALLOWED is dropped, rejected or denied.

Another reason to use iptables (and stateful stuff, in general) is it is TRUELY STATEFUL. It basically keeps a hash of connections, and then lets existing ones through - and it also checks packets further up on the OSI chain instead of just at the hardware level like ipchains. Considering all of the benefits it gives you over ipchains, the overhead cost is relatively cheap!

On the other hand, don't think that 'stateful' means 'secure'. Stateful firewalls CAN and ARE hacked. You should do your homework if you really want to be safe. :-)

**Feztaa** · 12-18-2001, 12:39 AM

For the record, I'm subscribed to Bugtraq's focus-linux list, and many other members of that list were very impressed with my iptables ruleset. I can post it if you'd like to see it