From mboxrd@z Thu Jan 1 00:00:00 1970 From: Glenn Terjesen Subject: RE: is it possible to block ip packets that contains experimental tcp options ? Date: Mon, 21 May 2007 13:55:44 +0200 Message-ID: <1179748544.32083.25.camel@bathory.webcat.no> References: <1179747134.32083.19.camel@bathory.webcat.no> Reply-To: glenn@webcat.no Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Return-path: In-Reply-To: <1179747134.32083.19.camel@bathory.webcat.no> List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: netfilter-bounces@lists.netfilter.org Errors-To: netfilter-bounces@lists.netfilter.org Content-Type: text/plain; charset="iso-8859-1" To: netfilter@lists.netfilter.org Was a little to fast there.. iptables -A FORWARD -p tcp --tcp-flags ALL ALL -j DROP iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP did not fix it.. Im gonna take a look at the Paul Blond=E9 suggestion and just ignore the traffic I suppose.. On Mon, 2007-05-21 at 13:32 +0200, Glenn Terjesen wrote: > Hi, > What i meant with "experimental tcp options" is that my ids (snort) > keept logging these "experimental tcp options" >=20 > # > code 76 > length 8 > data 01019DEDBEF00005 >=20 > I know this aint a snort list, but my servers don't serve any services > that require this kind of traffic. >=20 > So i was wondering if iptables has any way of blocking these. >=20 > These to magic lines fixed it all > iptables -A FORWARD -p tcp --tcp-flags ALL ALL -j DROP > iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP >=20 >=20 > Thanks alot for the help. >=20 >=20 > On Thu, 2007-05-17 at 13:18 -0400, Marc Cozzi wrote: > > Paul, > >=20 > > I believe that's correct. Although I'm still not > > Sure what was originally meant by "experimental tcp options". > >=20 > > -marc > >=20 > > > -----Original Message----- > > > From: Paul Blond=E9 [mailto:jpb@entel.ca]=20 > > > Sent: Thursday, May 17, 2007 11:09 AM > > > To: netfilter@lists.netfilter.org > > > Subject: RE: is it possible to block ip packets that contains=20 > > > experimentaltcp options ? > > >=20 > > > I assume that LOG-AND-DROP is your own chain, crafted so that=20 > > > you can perform both functions with a single entry? > > >=20 > > >=20 > > >=20 > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > > Paul Blond=E9 > > > =20 > > >=20 > > >=20 > > > > -----Original Message----- > > > > From: netfilter-bounces@lists.netfilter.org > > > > [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of=20 > > > Marc Cozzi > > > > Sent: Wednesday, May 16, 2007 5:19 AM > > > > To: netfilter@lists.netfilter.org > > > > Subject: RE: is it possible to block ip packets that contains=20 > > > > experimentaltcp options ? > > > >=20 > > > >=20 > > > >=20 > > > > Glenn, > > > >=20 > > > > Not sure what you mean by "experimental" however, there are some=20 > > > > conditions of flags that should never occur on the network.=20 > > > These can=20 > > > > be trapped with rules similar to the following. > > > >=20 > > > > iptables -A BLOCKED -m state --state INVALID -j=20 > > > LOG-AND-DROP iptables=20 > > > > -A BLOCKED -p tcp --tcp-flags ALL ALL -j LOG-AND-DROP iptables -A=20 > > > > BLOCKED -p tcp --tcp-flags ALL NONE -j LOG-AND-DROP > > > >=20 > > > > --marc > > > >=20 > > > >=20 > > > > > -----Original Message----- > > > > > From: Glenn Terjesen [mailto:glenn@webcat.no] > > > > > Sent: Wednesday, May 16, 2007 5:24 AM > > > > > To: netfilter@lists.netfilter.org > > > > > Subject: is it possible to block ip packets that contains=20 > > > > > experimental tcp options ? > > > > >=20 > > > > > Hello, > > > > > got a iptables firewall filtering our servers. > > > > >=20 > > > > > Is it possible to block tcp packets that contains=20 > > > experimental tcp=20 > > > > > options ? > > > > >=20 > > > > > AND is it smart to do so ? > > > > >=20 > > > > >=20 > > > > > -- > > > > > Mvh Glenn Terjesen @ Webcat AS > > > > > Tlf: +47 37 02 20 20 > > > > > E-post: support@webcat.no > > > > >=20 > > > >=20 > > >=20 > > >=20 > >=20 >=20