Re: TCP SYN packets which have the FIN flag set.
On Thu, Nov 04, 2004 at 06:48:29PM +0100, Luis Pérez Meliá wrote: > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT Doesn't match any packets which have the SYN flag set. > iptables -A INPUT -m state --state NEW -p tcp --tcp-flags ALL SYN -j ACCEPT ^ Matches SYN packets which have all the other flags unset. So no problem here. The packet filtering code in kernels 2.4.x 2.6.x should not exhibit the behavior Nessus found, unless badly configured. In other words, the problem might lay somewhere in Your iptables configuration/scripts. Using some higher-level firewall configuration utility might be an option? You may want to run Nessus with greater verbosity enabled, if that's possible, and/or use tcpdump(8) to discover what's really going on the wire. Ethereal seems to be quite a good tool if You're not that proficient in TCP/IP and the rather cryptic tcpdump output. HTH, -- Jan -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: TCP SYN packets which have the FIN flag set.
also sprach Luis Pérez Meliá <[EMAIL PROTECTED]> [2004.11.04.1848 +0100]: > iptables -A INPUT -m state --state NEW -p tcp --tcp-flags > ALL SYN -j ACCEPT What's the point of matching state NEW *and* SYN packets? Just SYN packets should suffice. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
Re: TCP SYN packets which have the FIN flag set.
I'm using iptables. In my rules I have this: . . . iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -m state --state NEW -p tcp --tcp-flags ALL SYN -j ACCEPT Thanks for the web: http://iptables-tutorial.frozentux.net El jue, 04-11-2004 a las 12:14, Jan Minar escribió: > Please don't use HTML. Sorry! > > On Wed, Nov 03, 2004 at 06:35:58PM +0100, Luis Pérez Meliá wrote: > >Is this a serious problem? > > Maybe. It is a very serious bug. > > >Test ID:11618 View Source Category:Firewalls Title:Remote host replies to > >SYN+FIN Summary:Sends a SYN+FIN packet and expects a SYN+ACK Description: > >The remote host does not discard TCP SYN packets which > >have the FIN flag set. > > google/wikipedia will tell you what TCP SYN packets are, and why it's so > important to filter them on the firewall. > > >Depending on the kind of firewall you are using, an > >attacker may use this flaw to bypass its rules. > > So, which firewall are You using? -- .''`. Luis Pérez Meliá : :' : `. `'` `- Debian GNU/Linux -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: TCP SYN packets which have the FIN flag set.
The FIN flag indicates that the host that sends it is ready to drop the connection, but a SYN flag indicates that the host is ready to start a connection. Having both set is bad because a cracker can use this to sneak packets through a firewall that does not block them. If you are using IPTables, then you would filter using the TCP Flags option, and drop the packets. I recommend some reading over at http://iptables-tutorial.frozentux.net/ There is a lot of good stuff over there including info on TCP Connections, and the handshake process, which is vital in setting up a "Good" firewall, IMHO, anyway. --- Luis P�rez Meli� <[EMAIL PROTECTED]> wrote: > Is this a serious problem? > > When I pass Nessus: > > Test ID:11618 View Source Category:Firewalls Title:Remote host > replies > to SYN+FIN Summary:Sends a SYN+FIN packet and expects a SYN+ACK > Description: > The remote host does not discard TCP SYN packets which > have the FIN flag set. > > Depending on the kind of firewall you are using, an > attacker may use this flaw to bypass its rules. > > See also : > http://archives.neohapsis.com/archives/bugtraq/2002-10/0266.html > http://www.kb.cert.org/vuls/id/464113 > > Solution : Contact your vendor for a patch > Risk factor : Medium Cross-Ref:BugTraq ID: 7487 > > Thanks, > -- > > .''`. Luis P�rez Meli� > : :' : > `. `'` > `- Debian GNU/Linux > = -"UNIX is basically a simple operating system, but you have to be a genius to understand the simplicity."-Dennis Ritchie __ Do you Yahoo!? Check out the new Yahoo! Front Page. www.yahoo.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: TCP SYN packets which have the FIN flag set.
Please don't use HTML. On Wed, Nov 03, 2004 at 06:35:58PM +0100, Luis Pérez Meliá wrote: >Is this a serious problem? Maybe. It is a very serious bug. >Test ID:11618 View Source Category:Firewalls Title:Remote host replies to >SYN+FIN Summary:Sends a SYN+FIN packet and expects a SYN+ACK Description: >The remote host does not discard TCP SYN packets which >have the FIN flag set. google/wikipedia will tell you what TCP SYN packets are, and why it's so important to filter them on the firewall. >Depending on the kind of firewall you are using, an >attacker may use this flaw to bypass its rules. So, which firewall are You using? -- Jan pgpEwRN7Ydc1F.pgp Description: PGP signature