Hi Thomas,
On 26/08/2020 17:01, Thomas Luening wrote:
Hi Kerin, hi David
Am 26.08.20 um 08:49 schrieb kfm@xxxxxxxxxxxxx:
Your interpretation appears correct to me.
Thank you for your Answer! :-)
/* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2 */
/*synack*/ { sIV, sIV, sSR, sIV, sIV, sIV, sIV, sIV, sIV, sSR },
That was a great help, but it is really heavy stuff. It's hard to work
through these tables and to understand them in context. While testing I
found that the xmas-statement is a rather weak protection, because it
seems to check for an explicit match of all given flags. If I use the
flags in various combinations...
nmap 10.0.1.200 --scanflags "URG ACK PSH RST SYN FIN" -p 631
...it is noticeable, that some Packages was not recognized at all. But
the check for 'invalid' was always successful. Conclusion: The
xmas-statement is not a good choice.
I forgot to say that there is a sysctl which, if enabled, will log
invalid packets. You can enable it by running:
sysctl -w net.netfilter.nf_conntrack_log_invalid=1
Packets that fail the general flag combination check will then trigger a
message containing the substring "invalid tcp flag combination", whereas
packets that violate the rules of the state machine will trigger
messages containing substrings such as "invalid state". Just look for
the word, invalid, in general.
I believe that the problem can be closed. Thanks again for your help.
Best Regards, Tom
--
Kerin Millar
