http filter question

Sun, 28 Apr 2002 13:58:24 -0700 

Hi all

I tried a more restrictive (than nothing but NEW on port 80)  ruleset for
the http traffic on my webserver and the results were kind of scary ;-)

I filter the incoming tcp traffic to port 80 to a custom chain and there I
do this (sorry for the long lines):
ACCEPT     tcp  --  anywhere             anywhere           state NEW tcp 
flags:FIN,SYN,RST,ACK/SYN
ACCEPT     all  --  anywhere             anywhere           state ESTABLISHED
LOG        all  --  anywhere             anywhere           limit: avg 10/min burst 5 
state NEW LOG level warning prefix TTP bad new: '
DROP       all  --  anywhere             anywhere

Amazingly I found out that quite immediately after I added this rule I saw a
few hosts pounding the server with aparently bad http connections. Is this
normal, or something that is only because I just set this rule in motion
during active connections? (I can still connect to the webserver, so this is
not blocking valid requests)

Seeing this, you've got to wonder what messy stuff actually comes in through
valid connections ;-) I'm glad apache isn't very insecure...

Any insights are much apreciated!

Cheers

Simon

Reply via email to