Which "illegal" tcp-fragments should be blocked?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I've read on numerous sites, and in bunches of examples, that "illegal
tcp fragments" should be blocked early in a firewall rule set.

As I understand it, the rule takes the form,

	iptables -A INPUT -p tcp --tcp-flags "mask" "comp" -j DROP

Every source I read seems to match & block a different combination of
fragments.  So far, the list of "block these" mask/comp pairs that
I've come across are:

	"mask"                            "comp"
	----------------                  ----------------
	ALL                               ALL
	ALL                               NONE
	ALL                               FIN,URG,PSH
	ALL                               FIN,URG,PSH
	ALL                               SYN,RST,ACK,FIN,URG
	ACK                               ACK
	FIN,ACK                           FIN
	FIN,URG,PSH                       FIN,URG,PSH
	SYN                               NONE
	SYN,RST                           SYN,RST
	SYN,FIN,RST,ACK                   NONE
	SYN,FIN,RST,ACK,URG               NONE
	SYN,FIN                           SYN,FIN
	SYN,FIN,RST,ACK                   FIN
	SYN,FIN,RST,ACK,URG               URG
	SYN,FIN                           SYN,FIN
	SYN,FIN,RST,ACK                   SYN,FIN
	SYN,FIN,RST,ACK,URG,PSH,ECE,CWR   FIN,URG,PSH
	SYN,FIN,RST,ACK,URG               SYN,FIN,RST,ACK,URG
	SYN,FIN,RST,ACK,URG,PSH           SYN,FIN,RST,ACK,URG,PSH

Which of these are really valid targets to block?  Each of the pairs
is blocked at least sometimes; noone I've found so far blocks them
all.  Is this list even complete?

Thanks.

--JC
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux