From: "Gáspár Lajos" <swifty@freemail.hu>
To: JC Janos <jcjanos245@gmail.com>,
Netfilter list <netfilter@vger.kernel.org>
Subject: Re: Which "illegal" tcp-fragments should be blocked?
Date: Tue, 25 Nov 2008 15:11:00 +0100 [thread overview]
Message-ID: <492C0774.9070002@freemail.hu> (raw)
In-Reply-To: <7259d7020811240901o53a4fd7bt99985dd2b3a7cb74@mail.gmail.com>
Hi!
I use the following five combination to filter bogous packets:
ALL NONE
ALL URG,PSH,FIN
RST,SYN RST,SYN
RST,FIN RST,FIN
SYN,FIN SYN,FIN
Swifty
JC Janos írta:
> I've read on numerous sites, and in bunches of examples, that "illegal
> tcp fragments" should be blocked early in a firewall rule set.
>
> As I understand it, the rule takes the form,
>
> iptables -A INPUT -p tcp --tcp-flags "mask" "comp" -j DROP
>
> Every source I read seems to match & block a different combination of
> fragments. So far, the list of "block these" mask/comp pairs that
> I've come across are:
>
> "mask" "comp"
> ---------------- ----------------
> ALL ALL
> ALL NONE
> ALL FIN,URG,PSH
> ALL FIN,URG,PSH
> ALL SYN,RST,ACK,FIN,URG
> ACK ACK
> FIN,ACK FIN
> FIN,URG,PSH FIN,URG,PSH
> SYN NONE
> SYN,RST SYN,RST
> SYN,FIN,RST,ACK NONE
> SYN,FIN,RST,ACK,URG NONE
> SYN,FIN SYN,FIN
> SYN,FIN,RST,ACK FIN
> SYN,FIN,RST,ACK,URG URG
> SYN,FIN SYN,FIN
> SYN,FIN,RST,ACK SYN,FIN
> SYN,FIN,RST,ACK,URG,PSH,ECE,CWR FIN,URG,PSH
> SYN,FIN,RST,ACK,URG SYN,FIN,RST,ACK,URG
> SYN,FIN,RST,ACK,URG,PSH SYN,FIN,RST,ACK,URG,PSH
>
> Which of these are really valid targets to block? Each of the pairs
> is blocked at least sometimes; noone I've found so far blocks them
> all. Is this list even complete?
>
> Thanks.
>
> --JC
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
>
next prev parent reply other threads:[~2008-11-25 14:11 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-11-24 17:01 Which "illegal" tcp-fragments should be blocked? JC Janos
2008-11-25 14:11 ` Gáspár Lajos [this message]
2008-11-26 17:00 ` JC Janos
2008-11-27 14:58 ` Gáspár Lajos
2008-11-27 16:10 ` JC Janos
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=492C0774.9070002@freemail.hu \
--to=swifty@freemail.hu \
--cc=jcjanos245@gmail.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.