Thanks to everyone for their input on my ICMP questions. BTW, I finally got around to reading "Linux Firewalls 2nd Edition"; it says that I should allow 3, 4, 11 and 12... pretty much what I had read online. Now I'm working on my `hostile flags' sections. This is what I have: $IPT -N FLAGS $IPT -A INPUT -p tcp -i $EXT --tcp-flags ALL FIN,URG,PSH -j FLAGS $IPT -A INPUT -p tcp -i $EXT --tcp-flags ALL ALL -j FLAGS $IPT -A INPUT -p tcp -i $EXT --tcp-flags ALL SYN,RST,ACK,FIN,URG -j FLAGS $IPT -A INPUT -p tcp -i $EXT --tcp-flags ALL NONE -j FLAGS $IPT -A INPUT -p tcp -i $EXT --tcp-flags SYN,RST SYN,RST -j FLAGS $IPT -A INPUT -p tcp -i $EXT --tcp-flags SYN,FIN SYN,FIN -j FLAGS $IPT -A FLAGS -j LOG --log-level info --log-prefix "**BAD FLAGS** " $IPT -A FLAGS -j DROP My question is, are these the right ones to detect intentional TCP flag manipulation? And what exactly could the potential hacker accomplish by using any of these? Thanks in advance, Jeff Bonner Royal Oak, MI USA PGP ID 0x82FC9EEE
Attachment:
pgpkuTgaOBOla.pgp
Description: PGP signature