Hudson & Ron I'm not sure there even exists documentation to explain some of the DROP rules I see in firewall scripts. Have you seen guys like these?... -p tcp --tcp-flags ACK,FIN FIN -j DROP -p tcp --tcp-flags ACK,PSH PSH -j DROP -p tcp --tcp-flags ACK,URG URG -j DROP What TCP/IP book tells you that FIN, PSH and URG packets usually have ACK set? **These** are the rules I don't know how to understand. Chris On Fri, Feb 04, 2005 at 08:13:51AM -0800, Hudson Delbert J Contr 61 CS/SCBN wrote: > ron, > > i can now die happy as i've finally heard someone echo my sentiments > as regards to 'shortcuts' to eliminate learning the basics of network > environments. its the same malady that many programmers suffer from > as evidenced by the shoddy un checked code that makes its to mkt today. > > ~go to school > > > -----Original Message----- > From: netfilter-bounces@xxxxxxxxxxxxxxxxxxx > [mailto:netfilter-bounces@xxxxxxxxxxxxxxxxxxx]On Behalf Of R. DuFresne > Sent: Thursday, February 03, 2005 4:32 PM > To: seberino@xxxxxxxxxxxxxxx > Cc: netfilter@xxxxxxxxxxxxxxxxxxx > Subject: Re: IDS better than hardcore iptables rules? > > > On Thu, 3 Feb 2005 seberino@xxxxxxxxxxxxxxx wrote: > > > Many people on this list including Jason O. are masters > > at creating very detailed careful iptables rules that > > DROP packets that have anything peculiar about them. > > > > (e.g. FIN without ACK, etc.) > > > > My iptables script just filters based on port > > number and protocol. I was wondering if instead > > of diving into TCP education to duplicate the > > fine work Jason and others have done, > > if an IDS (Intrusion Detection System) > > like Snort would serve the same purpose??? > > > > I assume Snort **ALSO** knows what TCP flag combos > > typically signify a port scan and other nasties? > > > > And there are many that have delved into combining the two applications to > work together, but, IDS is a beat unto itself, takes perhaps a bit more > thought and work just to tune the IDS *behind* the firewall to get the > proper set of true alarms working such that it's not just another whining > app that gets ignored pretty much as much as most system logs tend to be. > > And TCP education is require as much for IDS setup and design as proper > firewalling. There are no shortcuts, one needs to gain the basic > knowledge levels to tackle more then the basics of network design as in > any other venture one wishes to put their efforts into. Afterall, there > were no real cheap shortcuts to your phd, correct? > > Thanks, > > Ron DuFresne > -- > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > admin & senior security consultant: sysinfo.com > http://sysinfo.com > > ...Love is the ultimate outlaw. It just won't adhere to rules. > The most any of us can do is sign on as it's accomplice. Instead > of vowing to honor and obey, maybe we should swear to aid and abet. > That would mean that security is out of the question. The words > "make" and "stay" become inappropriate. My love for you has no > strings attached. I love you for free... > -Tom Robins <Still Life With Woodpecker> > > > -- _______________________________________ Christian Seberino, Ph.D. SPAWAR Systems Center San Diego Code 2872 49258 Mills Street, Room 158 San Diego, CA 92152-5385 U.S.A. Phone: (619) 553-9973 Fax : (619) 553-6521 Email: seberino@xxxxxxxxxxxxxxx _______________________________________
