Re: iptables connlimit

2005-03-08 Thread Adrian Minta 
On Tue, 08 Mar 2005 00:42:01 +0100
Bernd Eckenfels <[EMAIL PROTECTED]> wrote:

> In article <[EMAIL PROTECTED]> you wrote:
> >> >server# iptables -A INPUT -p tcp --dport 80 -m connlimit
> >--connlimit-above > >3 -j REJECT --reject-with tcp-reset
> 
> Have  you tried:
> 
> iptables -m connlimit -h 
> 
> does it show the connlimit options?
> 
> BTW: my iptables manpage knows about -m connrate  --connrate :,
> but it is clearly not available on my system.
> 
> Perhaps it is easiest if you strace the command. Also try to skip single
> parameters (like --reject-with tcp-reset)
> 

server# iptables -m connlimit -h 
connlimit v1.2.11 options:
[!] --connlimit-above n match if the number of existing tcp
connections is (not) above n
 --connlimit-mask n group hosts using mask

server#
iptables -A INPUT -p tcp --dport 80 -m connlimit --connlimit-above 3 -j REJECT
iptables: No chain/target/match by that name

I use plain sarge (no patches, default kernel, default iptables)
-- 
Best regards,
Minta Adrian


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: TCP SYN packets which have the FIN flag set.

2005-03-08 Thread Jean HARY 








TCP SYN
The device does not seem to discard TCP SYN packets which have the FIN flag set. This security flaw may allow an attacker to bypass firewall rules.

Risk Implication 
This device should be configured to discard TCP SYN packets which have the FIN flag set.
 

RecommendationThis device should be configured to discard TCP SYN packets which have the FIN flag set 
 
 
Comment configurer le device to discard TCP SYN sur HP-UX ???
 
Merci de votre aide