From owner-freebsd-hackers  Wed Jan 15 11:19: 1 2003
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 0DA8A37B48D
	for <freebsd-hackers@freebsd.org>; Wed, 15 Jan 2003 11:18:54 -0800 (PST)
Received: from sccrmhc01.attbi.com (sccrmhc01.attbi.com [204.127.202.61])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 4823243F3F
	for <freebsd-hackers@freebsd.org>; Wed, 15 Jan 2003 11:18:53 -0800 (PST)
	(envelope-from julian@elischer.org)
Received: from InterJet.elischer.org (12-232-168-4.client.attbi.com[12.232.168.4])
          by sccrmhc01.attbi.com (sccrmhc01) with ESMTP
          id <2003011519184600100hrh1ue>; Wed, 15 Jan 2003 19:18:47 +0000
Received: from localhost (localhost.elischer.org [127.0.0.1])
	by InterJet.elischer.org (8.9.1a/8.9.1) with ESMTP id LAA91521;
	Wed, 15 Jan 2003 11:18:45 -0800 (PST)
Date: Wed, 15 Jan 2003 11:18:45 -0800 (PST)
From: Julian Elischer <julian@elischer.org>
To: Josh Brooks <user@mail.econolodgetulsa.com>
Cc: freebsd-hackers@freebsd.org
Subject: Re: simple tcp question (syn, no mss) 
In-Reply-To: <20030115002040.T39623-100000@mail.econolodgetulsa.com>
Message-ID: <Pine.BSF.4.21.0301151118120.91512-100000@InterJet.elischer.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-hackers.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-hackers>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-hackers>
X-Loop: FreeBSD.ORG

why don't you put in a rule to catche them and count them.
then after a day or two you can go see how many there were..


On Wed, 15 Jan 2003, Josh Brooks wrote:

> 
> Will I ever see a _legitimate_ packet in the wild that is a SYN, and has
> no MSS ?
> 
> 
> If the answer is no, then is this a good rule to block those:
> 
> ipfw add 00001 deny tcp from any to any tcpflags syn tcpoptions !mss
> 
> Or is this one better:
> 
> ipfw add 00002 deny tcp from any to any setup tcpoptions !mss
> 
> -----
> 
> I am simply trying to place a rule which blocks those packets and does not
> deny _any_ legitimate traffic (I don't consider nmapping to be legit for
> this discussion) - this is all provided that I am correct that there are
> no _legitimate_ packets in the wild that have a SYN and no MSS.
> 
> thanks.
> 
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-hackers" in the body of the message
> 


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message