#1
  1. Throws Rocks
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2002
    Location
    Cincinnati, Ohio
    Posts
    392
    Rep Power
    14

    Post ipchains SYN flag : outgoing requests


    Preface:
    I run a machine with RedHat 7.1 on my school's network with a firewall script I wrote in bash for ipchains.

    The machine cannot make outgoing connections (for example: the web browser cannot connect to an external web server) because of the -y SYN flag. I talked with one of my professors about a month ago, and we read through the LDP pages and fixed the problem. Unfortunately, all I did was append the chain from the bash prompt, I didn't update my script. A few weeks ago, I accidentally rebooted my machine while switching between Gnome and KDE. When my firewall script went back into effect, the outgoing connections were again blocked.

    I have spent the past hour RTFM and STFW, and trying to brute force the -y flag to make it work, but all to result in failure.

    I don't filter outgoing traffic at all. The solution to this problem revolves entirely around the -y flag in one of the firewall chains. The examples I've found in LDP (kernel.org/LDP) and from google haven't helped.

    Does anyone have any suggestions or know how to remedy this?
    Two things have come out of Berkeley, Unix and LSD.
    It is uncertain which caused the other.
  2. #2
  3. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2001
    Posts
    4
    Rep Power
    0
    First off I don't know anything about ipchains/iptables.
    ipchains, being a stateless packet filter, is not smart enough to track packet state, thus whatever flags you set is really useless, because it doesn't know how to keep state, say on SYN flag.
    That said, you should not reject anything based on any flag in TCP packet.

    Imagine the following ruleset in ipfilter:

    pass out quick all
    block in quick proto tcp all flags S
    pass in quick proto tcp all
    block in quick all

    This really blocks all inbound tcp because of the required flags S. Although the next rule allows inbound tcp but the quick rule in 2nd rule tells ipfilter to stop further processing.

    BTW, iptables is stateful, so you really should switch to iptables instead.

IMN logo majestic logo threadwatch logo seochat tools logo