grsecurity forums

[vik]

Hello,

I build a kernel 2.6.20.7 with grsecurity-2.1.10-2.6.20.7-200704241759.patch and iptables 1.3.7 with grsecurity-iptables-1.3.5.patch.

With no iptables rules at all, after:

Code: Select all

 iptables -A INPUT -p tcp -m stealth -j REJECT


I get "Connection refused" on all tcp open ports. Already estabilshed connections work ok.
The same thing with udp, no answer from the dns server after:

Code: Select all

 iptables -A INPUT -p udp -m stealth -j REJECT


In kernel config, stealth match support is enabled as built in.

Thanks in advance,
Victor

[vik]

The same on 2.6.21.1-grsec (grsecurity-2.1.10-2.6.21-200705071727.patch).

These two rules used to work for many years as the first ones in INPUT:

Code: Select all

iptables -A INPUT -p tcp -m stealth -j DROP
iptables -A INPUT -p udp -m stealth -j DROP


They still work on some servers, the newest one with a 2.6.17.11-grsec. I don't know when they started to consider all ports stealth, even some software listens there.

Is this a bug or is there something changed and I should use it in some other way?

Thanks,
Victor

[vik]

I feel like talking to myself here...

I have just installed a 64bit system with kernel 2.6.21.5-grsec (grsecurity-2.1.10-2.6.21.3-200706042125.patch). Stealth matches any new packet.

[spender]

Hi vik,

The latest test patch should resolve this issue. Let me know if you still have problems with it.

-Brad

[vik]

Hello,

it is working now on 32bit, I can't test it on 64bit yet. Thanks.

Victor