mailing list archives
Re: Ambiguities in TCP/IP - firewall bypassing
From: Aaron Hopkins <lists () die net>
Date: Sat, 19 Oct 2002 01:24:39 -0700 (PDT)
On Sat, 19 Oct 2002, Florian Weimer wrote:
"established" in Cisco parlance does not mean "SYN unset", but "ACK or RST
set". This means that the impact for non-Linux hosts (which do not react
to SYN-RST packets according to Paul's survey) is less severe if your
filters run IOS.
This is true for IOS up through 11.3. The 12.0, 12.1, and 12.2
established: (Optional) For the TCP protocol only: Indicates an
established connection. A match occurs if the TCP datagram
has the ACK, FIN, PSH, RST, SYN or URG control bits set.
The nonmatching case is that of the initial TCP datagram to
form a connection."
If the documentation is correct, then you can fool IOS 12.0+ "permit tcp any
any established" at the top of an access list into letting you make
connections to any port on at least Linux 2.4.19, Solaris 5.8, FreeBSD 4.5,
and Windows NT 4.0, as reported by Paul Starzetz in the post starting this
Anyone want to test this?
As a result of this bug, it's quite complicated (if not impossible in some
configurations) to properly filter connection attempts to Linux hosts on
Cisco IOS routers.
Thats not necessarily true. At least with current IOS (12.2, perhaps
earlier), you can specify "permit tcp any any ack" instead of "permit tcp
any any established" to work around this bug entirely and retain almost all
All packets will be accepted that would have been by IOS < 12.0
"established", except those containing RST and not ACK. At least Linux only
generates these in response to an ACK, which would mean you might have to
time out the occasional connection instead of getting a "Connection reset by
So in leiu of any other fixes, I'd recommend replacing "established" with
"ack" in all access-lists if your IOS supports it.
Re: Ambiguities in TCP/IP - firewall bypassing Florian Weimer (Oct 19)
Re: Ambiguities in TCP/IP - firewall bypassing David Wagner (Oct 19)
RE: Ambiguities in TCP/IP - firewall bypassing Ofir Arkin (Oct 22)
- Re: Ambiguities in TCP/IP - firewall bypassing, (continued)