From owner-freebsd-questions@FreeBSD.ORG Mon Mar 1 22:19:33 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E5D3716A4CE for ; Mon, 1 Mar 2004 22:19:33 -0800 (PST) Received: from mail.evilcoder.org (cust.94.120.adsl.cistron.nl [195.64.94.120]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4F70343D39 for ; Mon, 1 Mar 2004 22:19:31 -0800 (PST) (envelope-from remko@elvandar.org) From: "Remko Lodder" To: "Shaun T. Erickson" Date: Tue, 2 Mar 2004 07:19:19 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) In-Reply-To: <20040301231558.13C791F@mail.elvandar.org> Importance: Normal X-Virus-Scanned: for evilcoder.org Message-Id: <20040302061930.42CBA2B4DA4@mail.evilcoder.org> cc: freebsd-questions@freebsd.org Subject: RE: ipfilter tcp flags question X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Mar 2004 06:19:34 -0000 Hmm not sure about the if No flags are set, Isn't that stated in the obfuscation.org/ipf/ papers? There is not an overruling block behind that yet btw, It's just the first lines i wrote since i want to kick that traffic out now, instead of just before my overruling block line I always use that, block default stuff that doesnot wanted to be in the other list pass stuff block all packets that are still alive here. Like that :) btw The flags RU etc are just the TCP flags, are they set in the first packet, second perhaps this clarifies a bit Some examples use flags S/SA instead of flags S. flags S actually equates to flags S/AUPRFS and matches against only the SYN packet out of all six possible flags, while flags S/SA will allow pack- ets that may or may not have the URG, PSH, FIN, or RST flags set. Some protocols demand the URG or PSH flags, and S/SAFR would be a better choice for these, however we feel that it is less secure to blindly use S/SA when it isn't required. But it's your firewall. => S/SAFR allow those in {for tcp ofcourse} zo, initial blocks (opt lsrr opt ssrr, short etc) pass phrases with S/SAFR options block anything else This might block undefined flags, not sure though :) -- Kind regards, Remko Lodder Elvandar.org/DSINet.org www.mostly-harmless.nl Dutch community for helping newcomers on the hackerscene mrtg.grunn.org Dutch mirror of MRTG -----Oorspronkelijk bericht----- Van: owner-freebsd-questions@freebsd.org [mailto:owner-freebsd-questions@freebsd.org]Namens Shaun T. Erickson Verzonden: dinsdag 2 maart 2004 0:16 Aan: Remko Lodder CC: freebsd-questions@freebsd.org Onderwerp: Re: ipfilter tcp flags question Remko Lodder wrote: > i do it like this: > > block in log quick proto tcp all flags FUP > block in log quick proto tcp all flags SAFRU/SAFRU > block in log quick proto tcp all flags SF/SF > block in log quick proto tcp all flags SR/SR I'll have to scratch my head over that one for a bit, before I understand it, but I guess you're saying that the above 4 rules imply a fifth in that if none were set, it couldn't get through them, right? I really dislike implied rules, and avoid them if at all possible, as they are hard to maintain. :) Is there no way to explicitly test for no flags being set? -ste _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"