Hmm not sure about the if No flags are set, Isn't that stated in the obfuscation.org/ipf/ papers?
There is not an overruling block behind that yet btw, It's just the first lines i wrote since i want to kick that traffic out now, instead of just before my overruling block line I always use that, block default stuff that doesnot wanted to be in the other list pass stuff block all packets that are still alive here. Like that :) btw The flags RU etc are just the TCP flags, are they set in the first packet, second perhaps this clarifies a bit Some examples use flags S/SA instead of flags S. flags S actually equates to flags S/AUPRFS and matches against only the SYN packet out of all six possible flags, while flags S/SA will allow pack- ets that may or may not have the URG, PSH, FIN, or RST flags set. Some protocols demand the URG or PSH flags, and S/SAFR would be a better choice for these, however we feel that it is less secure to blindly use S/SA when it isn't required. But it's your firewall. => S/SAFR allow those in {for tcp ofcourse} zo, initial blocks (opt lsrr opt ssrr, short etc) pass phrases with S/SAFR options block anything else This might block undefined flags, not sure though :) -- Kind regards, Remko Lodder Elvandar.org/DSINet.org www.mostly-harmless.nl Dutch community for helping newcomers on the hackerscene mrtg.grunn.org Dutch mirror of MRTG -----Oorspronkelijk bericht----- Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Shaun T. Erickson Verzonden: dinsdag 2 maart 2004 0:16 Aan: Remko Lodder CC: [EMAIL PROTECTED] Onderwerp: Re: ipfilter tcp flags question Remko Lodder wrote: > i do it like this: > > block in log quick proto tcp all flags FUP > block in log quick proto tcp all flags SAFRU/SAFRU > block in log quick proto tcp all flags SF/SF > block in log quick proto tcp all flags SR/SR I'll have to scratch my head over that one for a bit, before I understand it, but I guess you're saying that the above 4 rules imply a fifth in that if none were set, it couldn't get through them, right? I really dislike implied rules, and avoid them if at all possible, as they are hard to maintain. :) Is there no way to explicitly test for no flags being set? -ste _______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" _______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"