From: "Gáspár Lajos" <swifty@freemail.hu>
To: JC Janos <jcjanos245@gmail.com>,
Netfilter list <netfilter@vger.kernel.org>
Subject: Re: Which "illegal" tcp-fragments should be blocked?
Date: Thu, 27 Nov 2008 15:58:48 +0100 [thread overview]
Message-ID: <492EB5A8.1040402@freemail.hu> (raw)
In-Reply-To: <7259d7020811260900p64a3f60as27102d958c2ef103@mail.gmail.com>
Hi,
After sending you my list I found some bugs. :D
We have the following flags:
(http://en.wikipedia.org/wiki/Transmission_Control_Protocol#TCP_segment_structure)
URG, ACK, PSH, RST, SYN, FIN
There are 64 (=2 to the power 6) variations possible.
So here is my new INVALID list:
ACK,SYN,FIN,RST NONE --> -4 variations. (PSH and URG never should be
set alone.)
RST,SYN RST,SYN --> -16 variations.
RST,FIN RST,FIN --> -8 variations.
SYN,FIN SYN,FIN --> -8 variations.
After this we have 28 "valid" variations.
If we do not check PSH and URG flags then only these 7 combinations are
valid:
RST
FIN
SYN
ACK
ACK-RST
ACK-FIN
ACK-SYN
I do not know if there is any restrictions of using PSH and URG flags...
In three-way handshake we see: SYN, SYN-ACK, ACK.
In connection termination: FIN, ACK, FIN-ACK.
Check this too: http://kerneltrap.org/node/3072
Swifty
JC Janos írta:
> Gaspar,
>
> 2008/11/25 Gáspár Lajos <swifty@freemail.hu>:
>
>> Hi!
>>
>> I use the following five combination to filter bogous packets:
>>
>
> Why those in particular, and not the others? Your set also adds one
> mask/comp pair,
>
> RST,FIN RST,FIN
>
> It seems that just about every example uses a different combination of
> fragment rules. I'm simply wondering what the logic in choosing one
> over the other is.
>
> Is there maybe some documentation you can point to?
>
> --JC
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
>
next prev parent reply other threads:[~2008-11-27 14:58 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-11-24 17:01 Which "illegal" tcp-fragments should be blocked? JC Janos
2008-11-25 14:11 ` Gáspár Lajos
2008-11-26 17:00 ` JC Janos
2008-11-27 14:58 ` Gáspár Lajos [this message]
2008-11-27 16:10 ` JC Janos
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=492EB5A8.1040402@freemail.hu \
--to=swifty@freemail.hu \
--cc=jcjanos245@gmail.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox