[CLUE-Tech] Here's an idea.

Keith Hellman kehellman at yahoo.com
Mon Apr 21 13:34:39 MDT 2003 

On Mon, Apr 21, 2003 at 12:37:28PM -0600, David Anselmi wrote:
> Keith Hellman wrote:
> >On Sat, Apr 19, 2003 at 06:39:06PM -0600, David Anselmi wrote:
> > 
> >
> >>Then I had an idea.  Write a cron job to undo my iptables commands every 
> >>5 minutes.  That way being locked out wouldn't be as painful.
> >>
> >
> >Did you actually undo all your commands, or simply run an iptables
> >command that makes sure ssh is available to your box?
> 
> That reminds me that I'm curious what happens to an existing connection 
> if a drop rule goes into effect and then out of effect while the 
> connection is idle.  Seems that the connection should stay up but I 
> don't know.
Funny, I started my reply describing this very same phenom.  A side
effect of using my personal notebook at work for anscilliary testing,
the firewalling script I have on the notebook, that I usually just
ssh into the notebook (vs using two displays), and of course since I
always screw things up the first time, I have frequently
- sshd into my notebook, rsync/nfs copy testing binaries over
- run some tests, they fail, I realize (somewhere between seconds an
  hours later) that, doh, my firewall was up!
- through ssh to my notebook, I run my own '/etc/rc.d/fw off' command.
  This does complete DENIAL.
- now in this case, my latency isn't quite so poor (;^).  DOH, I just
  lobotomized my ssh connection
- open my notebook, login at console, run my own '/etc/rc.d/fw open'
  (no restrictions), and viola, my ssh connection returns to the living.

A little embaressing, but I've done this SO MANY times, I'm sure ssh
connections persist while drop rules are changed.
 
> And a related thought, what happens to existing connections when a dhcp 
> lease expires and the renewal changes the IP?  Wish I had time to explore.

Now this I've never done before, but I just experimented:
- through ssh to my notebook (which is setup with DHCP), I simply ran an
  ifconfig command to change the IP address to another known good static
  address on our net.
- my ssh connection immediately freezes, but from another console I can
  ping the notebook at the new address
- I reinsert my PCMCIA network card (effectively resetting ip
  configuration via DHCP), and my ssh connection again comes back to
  life.

I suppose this is what we should expect.  TCP is a point to point
connection between two specific IP addresses, when either end changes
its own configuration, that node simply won't respond (either with naks
or acks) to IP packets since the destination IP doesn't match the newly
configured interface - the packet is probably dropped by the card
filter. (I would think the packets still *get there* because ARP/MAC
data hasn't changed).  When you reestablish the correct network
configuration, all is well.

Either DROP rules or interface re-configuration of the TCP peer probably
presents that same symptoms (to the local machine) as the local machine's
network card being unplugged.

-- 
Keith Hellman                             #include <disclaimer.h>
kehellman at yahoo.com               from disclaimer import standard

Experience is a harsh teacher.  She gives the test before you learn the
lesson.

More information about the clue-tech mailing list