Hi, What i meant with "experimental tcp options" is that my ids (snort) keept logging these "experimental tcp options" # code 76 length 8 data 01019DEDBEF00005 I know this aint a snort list, but my servers don't serve any services that require this kind of traffic. So i was wondering if iptables has any way of blocking these. These to magic lines fixed it all iptables -A FORWARD -p tcp --tcp-flags ALL ALL -j DROP iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP Thanks alot for the help. On Thu, 2007-05-17 at 13:18 -0400, Marc Cozzi wrote: > Paul, > > I believe that's correct. Although I'm still not > Sure what was originally meant by "experimental tcp options". > > -marc > > > -----Original Message----- > > From: Paul Blondé [mailto:jpb@xxxxxxxx] > > Sent: Thursday, May 17, 2007 11:09 AM > > To: netfilter@xxxxxxxxxxxxxxxxxxx > > Subject: RE: is it possible to block ip packets that contains > > experimentaltcp options ? > > > > I assume that LOG-AND-DROP is your own chain, crafted so that > > you can perform both functions with a single entry? > > > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > Paul Blondé > > > > > > > > > -----Original Message----- > > > From: netfilter-bounces@xxxxxxxxxxxxxxxxxxx > > > [mailto:netfilter-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of > > Marc Cozzi > > > Sent: Wednesday, May 16, 2007 5:19 AM > > > To: netfilter@xxxxxxxxxxxxxxxxxxx > > > Subject: RE: is it possible to block ip packets that contains > > > experimentaltcp options ? > > > > > > > > > > > > Glenn, > > > > > > Not sure what you mean by "experimental" however, there are some > > > conditions of flags that should never occur on the network. > > These can > > > be trapped with rules similar to the following. > > > > > > iptables -A BLOCKED -m state --state INVALID -j > > LOG-AND-DROP iptables > > > -A BLOCKED -p tcp --tcp-flags ALL ALL -j LOG-AND-DROP iptables -A > > > BLOCKED -p tcp --tcp-flags ALL NONE -j LOG-AND-DROP > > > > > > --marc > > > > > > > > > > -----Original Message----- > > > > From: Glenn Terjesen [mailto:glenn@xxxxxxxxx] > > > > Sent: Wednesday, May 16, 2007 5:24 AM > > > > To: netfilter@xxxxxxxxxxxxxxxxxxx > > > > Subject: is it possible to block ip packets that contains > > > > experimental tcp options ? > > > > > > > > Hello, > > > > got a iptables firewall filtering our servers. > > > > > > > > Is it possible to block tcp packets that contains > > experimental tcp > > > > options ? > > > > > > > > AND is it smart to do so ? > > > > > > > > > > > > -- > > > > Mvh Glenn Terjesen @ Webcat AS > > > > Tlf: +47 37 02 20 20 > > > > E-post: support@xxxxxxxxx > > > > > > > > > > > > > -- Mvh Glenn Terjesen @ Webcat AS Tlf: +47 37 02 20 20 E-post: support@xxxxxxxxx
