On Monday 08 March 2004 9:14 pm, cldavis@xxxxxxxxxxxxx wrote:
> Antony:
> > >
> > > As I understand it, this means "check the flags FIN and ACK, only match
> > > if FIN is set and ACK isn't". This would match packets that only have
> > > the FIN flag set, which I am fairly sure are valid. I may need
> > > correcting on this issue, however.
> >
> > You are correct.
>
> Packets that only have the FIN flag set are valid -- but I believe would be
> taken care of by the ESTABLISHED,RELATED rule.
Yes, that's a fair point.
> The FIN FLAG rule I entered
> just in case someone decided to bombard my systems with FIN flag packets
> only... Is that an unneeded rule to protect against a DoS attack?
I'm not aware of a DoS attack using FIN flags (since no resources get used by
a system when it receives a FIN packet), however people certainly do carry
out port scans using FIN packets, and therefore I agree with you, it's
probably a sensible thing to block.
Antony.
--
Software development can be quick, high quality, or low cost.
The customer gets to pick any two out of three.
Please reply to the list;
please don't CC me.
