I've read on numerous sites, and in bunches of examples, that "illegal tcp fragments" should be blocked early in a firewall rule set. As I understand it, the rule takes the form, iptables -A INPUT -p tcp --tcp-flags "mask" "comp" -j DROP Every source I read seems to match & block a different combination of fragments. So far, the list of "block these" mask/comp pairs that I've come across are: "mask" "comp" ---------------- ---------------- ALL ALL ALL NONE ALL FIN,URG,PSH ALL FIN,URG,PSH ALL SYN,RST,ACK,FIN,URG ACK ACK FIN,ACK FIN FIN,URG,PSH FIN,URG,PSH SYN NONE SYN,RST SYN,RST SYN,FIN,RST,ACK NONE SYN,FIN,RST,ACK,URG NONE SYN,FIN SYN,FIN SYN,FIN,RST,ACK FIN SYN,FIN,RST,ACK,URG URG SYN,FIN SYN,FIN SYN,FIN,RST,ACK SYN,FIN SYN,FIN,RST,ACK,URG,PSH,ECE,CWR FIN,URG,PSH SYN,FIN,RST,ACK,URG SYN,FIN,RST,ACK,URG SYN,FIN,RST,ACK,URG,PSH SYN,FIN,RST,ACK,URG,PSH Which of these are really valid targets to block? Each of the pairs is blocked at least sometimes; noone I've found so far blocks them all. Is this list even complete? Thanks. --JC -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
