From: "Gáspár Lajos" <swifty@freemail.hu>
To: JC Janos <jcjanos245@gmail.com>,
Netfilter list <netfilter@vger.kernel.org>
Subject: Re: Which "illegal" tcp-fragments should be blocked?
Date: Thu, 27 Nov 2008 15:58:48 +0100 [thread overview]
Message-ID: <492EB5A8.1040402@freemail.hu> (raw)
In-Reply-To: <7259d7020811260900p64a3f60as27102d958c2ef103@mail.gmail.com>
Hi,
After sending you my list I found some bugs. :D
We have the following flags:
(http://en.wikipedia.org/wiki/Transmission_Control_Protocol#TCP_segment_structure)
URG, ACK, PSH, RST, SYN, FIN
There are 64 (=2 to the power 6) variations possible.
So here is my new INVALID list:
ACK,SYN,FIN,RST NONE --> -4 variations. (PSH and URG never should be
set alone.)
RST,SYN RST,SYN --> -16 variations.
RST,FIN RST,FIN --> -8 variations.
SYN,FIN SYN,FIN --> -8 variations.
After this we have 28 "valid" variations.
If we do not check PSH and URG flags then only these 7 combinations are
valid:
RST
FIN
SYN
ACK
ACK-RST
ACK-FIN
ACK-SYN
I do not know if there is any restrictions of using PSH and URG flags...
In three-way handshake we see: SYN, SYN-ACK, ACK.
In connection termination: FIN, ACK, FIN-ACK.
Check this too: http://kerneltrap.org/node/3072
Swifty
JC Janos írta:
> Gaspar,
>
> 2008/11/25 Gáspár Lajos <swifty@freemail.hu>:
>
>> Hi!
>>
>> I use the following five combination to filter bogous packets:
>>
>
> Why those in particular, and not the others? Your set also adds one
> mask/comp pair,
>
> RST,FIN RST,FIN
>
> It seems that just about every example uses a different combination of
> fragment rules. I'm simply wondering what the logic in choosing one
> over the other is.
>
> Is there maybe some documentation you can point to?
>
> --JC
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
>
next prev parent reply other threads:[~2008-11-27 14:58 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-11-24 17:01 Which "illegal" tcp-fragments should be blocked? JC Janos
2008-11-25 14:11 ` Gáspár Lajos
2008-11-26 17:00 ` JC Janos
2008-11-27 14:58 ` Gáspár Lajos [this message]
2008-11-27 16:10 ` JC Janos
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=492EB5A8.1040402@freemail.hu \
--to=swifty@freemail.hu \
--cc=jcjanos245@gmail.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.