Re: TCP SYN packets which have the FIN flag set.

To: Luis Pérez Meliá <luisp.m@ono.com>
Cc: debian-security@lists.debian.org
Subject: Re: TCP SYN packets which have the FIN flag set.
From: Baruch Even <baruch@ev-en.org>
Date: Fri, 05 Nov 2004 11:27:07 +0000
Message-id: <1099654027.3571.45.camel@baruch.hamilton.local>
In-reply-to: <1099590509.3233.58.camel@localhost>
References: <1099503358.3095.2.camel@localhost> <20041104111432.GB28422@kontryhel.haltyr.dyndns.org> <1099590509.3233.58.camel@localhost>

On Thu, 2004-11-04 at 17:48, Luis Pérez Meliá wrote:
> I'm using iptables.
> 
> In my rules I have this:
>         .
>         .
>         .
>         iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>         iptables -A INPUT -m state --state NEW -p tcp --tcp-flags ALL SYN -j ACCEPT

Please dont do that!

You are not only blocking illegal flag combinations, you are also
blocking perfectly legal ones! And then spreading this bad
configuration.

There are flags in the TCP that we want to be allowed on start of
connections, specifically ECN flags, you can look at
http://www.icir.org/floyd/ecnProblems.html

Note that you will not be able to receive mails from the LKML with such
a setup since LKML server uses ECN.

You can use SYN,ACK,FIN,RST SYN to check for illegal flags.

Baruch

Reply to:

Follow-Ups:
- Re: TCP SYN packets which have the FIN flag set.
  - From: Stefan Fritsch <sfritsch@ph.tum.de>

References:
- TCP SYN packets which have the FIN flag set.
  - From: Luis Pérez Meliá <luipeme@yahoo.es>
- Re: TCP SYN packets which have the FIN flag set.
  - From: Jan Minar <jjminar@fastmail.fm>
- Re: TCP SYN packets which have the FIN flag set.
  - From: Luis Pérez Meliá <luisp.m@ono.com>

Prev by Date: Re: TCP SYN packets which have the FIN flag set.
Next by Date: Re: TCP SYN packets which have the FIN flag set.
Previous by thread: Re: TCP SYN packets which have the FIN flag set.
Next by thread: Re: TCP SYN packets which have the FIN flag set.
Index(es):
- Date
- Thread