I thought the 2.0 kernel firewalling code was more flexible than it seems to be... I really don't particularily want folks sending malformed packets into my network to try to figure out what O/S is behind what IP packets... but when I went to try to filter out SYN+FIN type packets I came up against what looks like a brick wall ... ? Is this do-able? is 2.1 better? (Sorry, I really should have a 2.1 kernel here, I just haven't had time to look at it...) ... Hhhmm, I don't see anything obvious in http://www.rustcorp.com/linux/ipchains/ that talks about the TCP flags other than what is already in ipfwadm and 2.0 :-( Is the only way to do this via the userspace route? ... which sounds untested and slow... ---------------------------------------------------------------------- [EMAIL PROTECTED] | Don't go around saying the world owes you a living; http://BareMetal.com/ | the world owes you nothing; it was here first. web hosting since '95 | - Mark Twain ---------- Forwarded message ---------- Date: Mon, 7 Dec 1998 03:03:22 -0600 From: Mark Spencer <[EMAIL PROTECTED]> Reply-To: Bugtraq List <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Cheops I've been developing a new network administration and access tool for Linux called Cheops. From the README: "Cheops is a network "swiss army knife". It's `network neighborhood' done right (or gone out of control, depending on your perspective). It's a combination of a variety of network tools to provide system adminstrators and users with a simple interface to managing and accessing their networks. Cheops aims to do for the network what the file manager did for the filesystem." Now, while Cheops is designed to give the administrator and the user a powerful view of their networks, but it could also be used to provide a cracker with a view of your network as well. The purpose of this message is two fold: (a) to inform of the availability of cheops, and encourage people to see if it can help them with maintaining their network and (b) to educate as to the methods employed by cheops to help preempt its potential use as a "point-and-hack" interface. Technologically, there is nothing new about cheops. It uses techniques from traceroute, queso, and halfscan to determine network topology, operating systems, and services. What is somewhat new about cheops is the interface that it presents the user of the network, much like files are represented with a file manager. Right clicking on a host presents a menu of services and easy point-and-click access to them. Rudimentary mapping functionality is also available. So, signs that someone is using cheops on your network would include: * Ping activity (discovery) * lots of traceroute activity (cheops uses the same ports as traceroute) * TCP packets with unusual flags (queso-style OS detection) * Half-scaning (for determining the menu, only when someone right-clicks a host) For more information on Cheops, please see its web site at http://www.marko.net/cheops or download it at ftp://ftp.marko.net/pub/cheops. Cheops builds on glibc Linux systems with the GTK (libc5 also works, but you must edit the Makefile and possibly a header file) and is distributed under GNU GPL. I eagerly welcome any comments or suggestions regarding cheops from both a user/administrator perspective and a security perspective. Mark - To unsubscribe from this list: send the line "unsubscribe linux-net" in the body of a message to [EMAIL PROTECTED]
