Date: Tue, 2 Mar 2004 07:19:19 +0100 From: "Remko Lodder" <remko@elvandar.org> To: "Shaun T. Erickson" <ste@ste-land.com> Cc: freebsd-questions@freebsd.org Subject: RE: ipfilter tcp flags question Message-ID: <20040302061930.42CBA2B4DA4@mail.evilcoder.org> In-Reply-To: <20040301231558.13C791F@mail.elvandar.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Hmm
not sure about the if No flags are set,
Isn't that stated in the obfuscation.org/ipf/
papers?
There is not an overruling block behind that yet btw,
It's just the first lines i wrote since i want to
kick that traffic out now, instead of
just before my overruling block line
I always use that,
block default stuff that doesnot wanted to be in the other list
pass stuff
block all packets that are still alive here.
Like that :)
btw The flags RU etc are just the TCP flags, are they set in the first
packet,
second
perhaps this clarifies a bit
Some examples use flags S/SA instead of flags S.
flags S actually equates to flags S/AUPRFS and
matches against only the SYN packet out of all six
possible flags, while flags S/SA will allow pack-
ets that may or may not have the URG, PSH, FIN, or
RST flags set. Some protocols demand the URG or
PSH flags, and S/SAFR would be a better choice for
these, however we feel that it is less secure to
blindly use S/SA when it isn't required. But it's
your firewall.
=> S/SAFR allow those in {for tcp ofcourse}
zo, initial blocks (opt lsrr opt ssrr, short etc)
pass phrases with S/SAFR options
block anything else
This might block undefined flags,
not sure though :)
--
Kind regards,
Remko Lodder
Elvandar.org/DSINet.org
www.mostly-harmless.nl Dutch community for helping newcomers on the
hackerscene
mrtg.grunn.org Dutch mirror of MRTG
-----Oorspronkelijk bericht-----
Van: owner-freebsd-questions@freebsd.org
[mailto:owner-freebsd-questions@freebsd.org]Namens Shaun T. Erickson
Verzonden: dinsdag 2 maart 2004 0:16
Aan: Remko Lodder
CC: freebsd-questions@freebsd.org
Onderwerp: Re: ipfilter tcp flags question
Remko Lodder wrote:
> i do it like this:
>
> block in log quick proto tcp all flags FUP
> block in log quick proto tcp all flags SAFRU/SAFRU
> block in log quick proto tcp all flags SF/SF
> block in log quick proto tcp all flags SR/SR
I'll have to scratch my head over that one for a bit, before I
understand it, but I guess you're saying that the above 4 rules imply a
fifth in that if none were set, it couldn't get through them, right?
I really dislike implied rules, and avoid them if at all possible, as
they are hard to maintain. :) Is there no way to explicitly test for no
flags being set?
-ste
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040302061930.42CBA2B4DA4>