[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: TCP SYN packets which have the FIN flag set.

On Fri, 2004-11-05 at 14:27, martin f krafft wrote:
> also sprach Baruch Even <baruch@ev-en.org> [2004.11.05.1229 +0100]:
> > This comes from the fact that the NEW state of Netfilter only
> > means that this is the first time this connection is seen by the
> > firewall. What you really want is the connection to be NEW and
> > a valid connection opening, so you check the SYN flag too.
> 
> Why do you care about the connection being NEW? I am not
> challenging, I just can't figure out an attack scenario that could
> exploit the fact that I only check for --syn.

You have three categories into which all sessions go:
ESTABLISHED,RELATED
NEW
INVALID
pick two to cover the spectrum of attacks.

If you don't check for NEW, a SYN packet which is INVALID for some
connection can be accepted. If you check for INVALID before you check
for SYN you're covered.

> > A former e-mail of mine explains why the --tcp-flags ALL SYN check
> > is a bad idea.
> 
> You say to use "RST,ACK,FIN,SYN SYN" which makes sense. If you use
> --syn and iptables-save, "RST,ACK,SYN SYN" is stored, so this is
> what --syn seems to mean. Why does --syn not set FIN in the mask?

Because of ideas like TTCP (as mentioned before in this thread), for the
exact reasons you'll have to ask the netfilter team, I developed a 
firewall but it wasn't netfilter.

Baruch
Reply to: