Re: TCP SYN packets which have the FIN flag set.

To: debian-security@lists.debian.org
Subject: Re: TCP SYN packets which have the FIN flag set.
From: "George Georgalis" <george@galis.org>
Date: Fri, 5 Nov 2004 17:04:07 -0500
Message-id: <20041105220407.GA30503@sta>
In-reply-to: <1099677438.3571.66.camel@baruch.hamilton.local>
References: <1099503358.3095.2.camel@localhost> <20041104111432.GB28422@kontryhel.haltyr.dyndns.org> <1099590509.3233.58.camel@localhost> <20041104184140.GA21369@cirrus.madduck.net> <1099654161.3571.48.camel@baruch.hamilton.local> <20041105142706.GA12771@cirrus.madduck.net> <1099667073.3571.56.camel@baruch.hamilton.local> <20041105171321.GA20258@sta> <1099677438.3571.66.camel@baruch.hamilton.local>

On Fri, Nov 05, 2004 at 05:57:18PM +0000, Baruch Even wrote:
>On Fri, 2004-11-05 at 17:13, George Georgalis wrote:
>> On Fri, Nov 05, 2004 at 03:04:34PM +0000, Baruch Even wrote:
>> 
>> >ESTABLISHED,RELATED
>> >NEW
>> >INVALID
>> >pick two to cover the spectrum of attacks.
>> 
>> Why not all three in this order...
>> 
>> INVALID -j REJECT 
>> ESTABLISHED,RELATED -j ACCEPT
>> NEW -j ACCEPT (if allowed)
>
>If you checked INVALID and ESTABLISHED, the rest has to be NEW. You can
>check it if you want for completeness, you can avoid checking it to save
>a few bits compared.

performance isn't really an issue for me. but I do accept only certain
new connections from certain networks.

and for anybody who is interested, I've found the limit function works
well to manage logging and types of deny.

  -m limit --limit-burst 50 --limit 1/s

At the end of my "NEW ACCEPT" set, I call a chain that, within the
limit, logs and rejects remaining connections, beyond the limit it
returns. the next two rules log some (with limit again) of the remaining
connections and drops them all. The setup gives a balance between the
problems of logging and rejecting everything bad and just dropping
everything bad.

// George

-- 
George Georgalis, systems architect, administrator Linux BSD IXOYE
http://galis.org/george/ cell:646-331-2027 mailto:george@galis.org

Reply to:

Follow-Ups:
- Re: TCP SYN packets which have the FIN flag set.
  - From: Giacomo Mulas <gmulas@ca.astro.it>

References:
- TCP SYN packets which have the FIN flag set.
  - From: Luis Pérez Meliá <luipeme@yahoo.es>
- Re: TCP SYN packets which have the FIN flag set.
  - From: Jan Minar <jjminar@fastmail.fm>
- Re: TCP SYN packets which have the FIN flag set.
  - From: Luis Pérez Meliá <luisp.m@ono.com>
- Re: TCP SYN packets which have the FIN flag set.
  - From: martin f krafft <madduck@debian.org>
- Re: TCP SYN packets which have the FIN flag set.
  - From: Baruch Even <baruch@ev-en.org>
- Re: TCP SYN packets which have the FIN flag set.
  - From: martin f krafft <madduck@debian.org>
- Re: TCP SYN packets which have the FIN flag set.
  - From: Baruch Even <baruch@ev-en.org>
- Re: TCP SYN packets which have the FIN flag set.
  - From: "George Georgalis" <george@galis.org>
- Re: TCP SYN packets which have the FIN flag set.
  - From: Baruch Even <baruch@ev-en.org>

Prev by Date: Re: TCP SYN packets which have the FIN flag set.
Next by Date: Re: TCP SYN packets which have the FIN flag set.
Previous by thread: Re: TCP SYN packets which have the FIN flag set.
Next by thread: Re: TCP SYN packets which have the FIN flag set.
Index(es):
- Date
- Thread