From: Chris Brenton <cbrenton@chrisbrenton.org>
To: jimm@simutronics.com
Cc: netfilter@lists.netfilter.org
Subject: Re: Dropping SYN with FIN flag set
Date: 21 Oct 2003 12:39:53 -0400 [thread overview]
Message-ID: <1066754393.1557.29.camel@valhalla> (raw)
In-Reply-To: <NDBBKABJBJCIJNAELLKEEEDOJDAA.jimm@simutronics.com>
On Tue, 2003-10-21 at 11:47, James Miller wrote:
>
> Nessus is always alerting on "Remote host does not discard TCP SYN packets
> which have the FIN flag set". What is the best way to close up this hole?
One of the nice things you get with iptables over many commercial
offerings is the flexibility to deal with stuff like this. ;-)
> something like '-p tcp --tcp-flags SYN,FIN -j DROP'
Here is what I do:
iptables -A FORWARD -i eth0 -p tcp --tcp-flags ALL SYN,ACK -j LOG
--log-prefix " SYNACK "
iptables -A FORWARD -i eth0 -p tcp --tcp-flags ALL SYN,ACK -j REJECT
--reject-with icmp-host-unreachable
iptables -A FORWARD -i eth0 -p tcp --tcp-flags ALL SYN,FIN -j LOG
--log-prefix " SYNFINSCAN "
iptables -A FORWARD -i eth0 -p tcp --tcp-flags ALL SYN,FIN -j REJECT
--reject-with icmp-host-unreachable
iptables -A FORWARD -i eth0 -p tcp --tcp-flags ALL FIN -j LOG
--log-prefix " FINSCAN "
iptables -A FORWARD -i eth0 -p tcp --tcp-flags ALL FIN -j REJECT
--reject-with icmp-host-unreachable
iptables -A FORWARD -i eth0 -p tcp --tcp-flags ALL NONE -j LOG
--log-prefix " NULLSCAN "
iptables -A FORWARD -i eth0 -p tcp --tcp-flags ALL NONE -j REJECT
--reject-with icmp-host-unreachable
iptables -A FORWARD -i eth0 -p tcp --tcp-flags ALL FIN,PSH,URG -j LOG
--log-prefix " NMAPXMAS "
iptables -A FORWARD -i eth0 -p tcp --tcp-flags ALL FIN,PSH,URG -j REJECT
--reject-with icmp-host-unreachable
I prefix these traffic patterns to make them easier to parse out of the
logs, and the reject the traffic with a host unreachable. I like using
type 3's rather than drops as it confuses the scanner on the other end
and many times shuts it down (ie. scanner gives up thing the host is not
on-line).
HTH,
C
next prev parent reply other threads:[~2003-10-21 16:39 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-10-21 15:47 Dropping SYN with FIN flag set James Miller
2003-10-21 16:39 ` Chris Brenton [this message]
2003-10-21 17:51 ` Jeffrey Laramie
2003-10-21 18:56 ` Chris Brenton
2003-10-21 19:29 ` Tom Marshall
2003-10-21 19:47 ` Chris Brenton
2003-10-21 20:35 ` Jeffrey Laramie
2003-10-21 21:35 ` Chris Brenton
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1066754393.1557.29.camel@valhalla \
--to=cbrenton@chrisbrenton.org \
--cc=jimm@simutronics.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.