Re: IPtables Question II: `Hostile' Flags

To: debian-firewall@lists.debian.org
Subject: Re: IPtables Question II: `Hostile' Flags
From: Adriano Nagelschmidt Rodrigues <anr@estadao.com.br>
Date: Thu, 31 Oct 2002 10:03:51 -0300
Message-id: <[🔎] 20021031130351.GA977@chianti>
Mail-followup-to: debian-firewall@lists.debian.org
In-reply-to: <[🔎] 20021030223837.A31205@marvin.informatik.uni-stuttgart.de>
References: <[🔎] 20021030200227.GA27993@integralogic.com> <[🔎] 20021030223837.A31205@marvin.informatik.uni-stuttgart.de>

Sorry, I missed the previous mails in this discussion.

If you have stateful firewall, shouldn't this be sufficient:

    $IPTABLES -A ch_tcp -p TCP -i $INET_IFACE \! --syn \
        -m state --state NEW -j ch_bad

(ch_bad logs in warning level and drops the packet)

But I remember that when I tested it with nmap, some types of stealth scan
(only NULL?) didn't show up in the logs... I also have this rule:

    $IPTABLES -A ch_tcp -p TCP -i $INET_IFACE --tcp-flags ALL NONE \
        -m state --state NEW -j ch_bad

Regards,

--
Adriano

Reply to:

References:
- IPtables Question II: `Hostile' Flags
  - From: Jeff Bonner (debian-fw) <debian@integralogic.com>
- Re: IPtables Question II: `Hostile' Flags
  - From: Nils Radtke <Nils.Radtke@Think-Future.de>

Prev by Date: Re: IPtables Question II: `Hostile' Flags
Next by Date: Re: fwmark / routing ...
Previous by thread: Re: IPtables Question II: `Hostile' Flags
Index(es):
- Date
- Thread