subject:"grouped tcp flags"

Re: grouped tcp flags

2003-04-01 Thread Max Laier

> > Agreed, but a quick block on some of the common nmap flags on the very
top
> > of your ruleset can save you some time (right?) Esp. when somebody went
mad,
> > has a big pipe and found out about insane-nmap timeing.
>
> *sigh*
>
> And all other tcp packets (which are most likely to happen more often)
> evaluate through all that shit every time? Great gain after all, eh?
>

I didn't test/benchmark/analyse it ... did you? It's just a bitmask
afterall.

max

Re: grouped tcp flags

2003-04-01 Thread Daniel Hartmeier

On Tue, Apr 01, 2003 at 08:37:52AM +0200, [EMAIL PROTECTED] wrote:

> >  flags  = flags ( flag-set / flag-set | / flag-set )
> >  flag-set   = [ F ] [ S ] [ R ] [ P ] [ A ] [ U ] [ E ] [ W ]
> 
> this is wrong.. who wrote that shit? :)

The first part of the RHS is the literal "flags" (the token, keyword),
so that would be

> flags = [ flag-set ] / flag-set

flags = "flags" [ flag-set ] "/" flag-set

(did we start quoting some things yet?)

Daniel

Re: grouped tcp flags

2003-04-01 Thread Mike Pechkin

On Tue, Apr 01, 2003 at 04:15:55PM +0200, Philipp Buehler wrote:

> [list added again, I think this is public interest and should be archived]
> 
> On 01/04/2003, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote To [EMAIL PROTECTED]:
> > I just wanted to drop all nmap and/or other harmful packets... I found half 
> > of this list of flags @ nmap's forums by a guy saying which to block to stop 
> > nmap, the other half I found on a sans.org site... I'll try to dig up a link 
> > if you want it.  Which flags do you recommend blocking?
# block and log nmap OS fingerprinting attempts
#
block return-rst in log quick on $ext_if proto tcp all flags FP/FP
block return-rst in log quick on $ext_if proto tcp all flags SE/SE

Re: grouped tcp flags

2003-04-01 Thread Philipp Buehler

On 01/04/2003, Max Laier <[EMAIL PROTECTED]> wrote To [EMAIL PROTECTED]:
> > If you dont want port XYZ being reached. Block it. Completly. No
> > matter what fuxxored flag ever is set. Period.
> >
> 
> Agreed, but a quick block on some of the common nmap flags on the very top
> of your ruleset can save you some time (right?) Esp. when somebody went mad,
> has a big pipe and found out about insane-nmap timeing.

*sigh*

And all other tcp packets (which are most likely to happen more often) 
evaluate through all that shit every time? Great gain after all, eh?

Re: grouped tcp flags

2003-04-01 Thread Max Laier


> If you dont want port XYZ being reached. Block it. Completly. No
> matter what fuxxored flag ever is set. Period.
>
> //pb
>

Agreed, but a quick block on some of the common nmap flags on the very top
of your ruleset can save you some time (right?) Esp. when somebody went mad,
has a big pipe and found out about insane-nmap timeing.

max

Re: grouped tcp flags

2003-04-01 Thread Philipp Buehler

[list added again, I think this is public interest and should be archived]

On 01/04/2003, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote To [EMAIL PROTECTED]:
> I just wanted to drop all nmap and/or other harmful packets... I found half 
> of this list of flags @ nmap's forums by a guy saying which to block to stop 
> nmap, the other half I found on a sans.org site... I'll try to dig up a link 
> if you want it.  Which flags do you recommend blocking?

First off:
nmap is dumb

Furthermore, *most* people using nmap are completly clueless about
what is happening - and to make it worse: nmap interprets packets
coming back (or not) in a very "special" way. Let's say, it tries
to think for the user.

After all they see an output of closed/open/filtered ports which
is *way often* not even *close* to reality.

Please think it through .. all this 'hiding' is totally silly and useless.

Think about they get a response (or not) which is interpreted as
XYZ/tcp  filtered

Now what? Can they do something harmful w/ FUP on port XYZ there?
Can they even create a *valid* connection to there for carrying 
payload UP THE STACK WHERE IT WOULD HURT?

Geeez..

If you dont want port XYZ being reached. Block it. Completly. No
matter what fuxxored flag ever is set. Period.

//pb

Re: grouped tcp flags

2003-03-31 Thread pb

On 01/04/2003, jared r r spiegel <[EMAIL PROTECTED]> wrote To [EMAIL PROTECTED]:
> > will 
> > the following work?  Does pf syntax allow this?
> > 
> > BadTCPFlags="{ FUP, FUP/FUP, SF/SFRA, /SFRA, F/SFRA, U/SFRAU, P, \
> > FS/FS,  FSRPAU, /FSRPAU }"
> > 
> > block in quick proto tcp all flags $BadTCPFlags

no (geeez!).. dont overdo this flag shit, mmkay?

>  flags  = flags ( flag-set / flag-set | / flag-set )
>  flag-set   = [ F ] [ S ] [ R ] [ P ] [ A ] [ U ] [ E ] [ W ]

this is wrong.. who wrote that shit? :)

flags = [ flag-set ] / flag-set

(Daniel, ok? :) )

//pb

Re: grouped tcp flags

2003-03-31 Thread jared r r spiegel

> will 
> the following work?  Does pf syntax allow this?
> 
> BadTCPFlags="{ FUP, FUP/FUP, SF/SFRA, /SFRA, F/SFRA, U/SFRAU, P, \
> FS/FS,  FSRPAU, /FSRPAU }"
> 
> block in quick proto tcp all flags $BadTCPFlags

  hi adam.

  i made only a slight modification to this: namely inserted
  'on fxp0' ( external iface ) between 'quick' and 'proto', 
  as i didn't want to decapitate my putty session; and pfctl yelled
  at me with a syntax error.  ( i had a new pf.conf with only your
  lines above, to keep it clean ).

  i tried reducing BadTCPFlags down to = "{ S/SA }", and that 
  also got an error.

  so, the flags thing seems to not like the '"{' '}"' action, 
  as i just hardcoded that also into the line ( S/SA ) and it 
  bailed on me too.

  i tried without the braces, and got the same.  checked the
  manpage:

 flags  = flags ( flag-set / flag-set | / flag-set )
 flag-set   = [ F ] [ S ] [ R ] [ P ] [ A ] [ U ] [ E ] [ W ]

  i've noticed the  pf.conf manpage is really good about letting
  you know if you can get away with braces and things like that, they're
  almost always in the sytax somewhere.   to me, this means that
  'flags' has a syntax of :

  flags flag-set/flag-set

  or

  flags /flag-set

  ( where obviously flag-set is some combination of those letters )

  if braces were chill, i'd expect to see something more like how
  protoset and proto-list say: 'ok, put a name or a number, or a list',
  and then defines a list as a string of names/numbers and mentions the
  '[ , ]'.  usually if i don't see a '[ , ]' in the construct somewhere,
  i assume pfctl will yell at me.

  so short answer, no, didn't work from over here. 

  jared.

Re: grouped tcp flags

2003-03-31 Thread HKSPKS

I'm not in a situation where I can test it quite yet, I'm coming up with a firewall rulelist I won't be able to implement for another month or so @ my workplace.  Home dialup (aol email as you can see) isn't obsd compatable :P I live out in the sticks...  no play around time work lately to test a ruleset.  Sorry, but unless I can find a friend who can test it out first, I won't be able to know or report any results... frustratingly few people know about openbsd though.  Any help would greatly be appreciated.

Adam Wenzel

grouped tcp flags

2003-03-31 Thread HKSPKS

Is it possible to explicitly deny specific incoming tcp flag possibilities as a single variable?  I know I could set up ten different rules, but I understand this may run quicker, even if the difference isn't noticable it seems much cleaner.  It's hard to ask the question... in other words, will the following work?  Does pf syntax allow this?

BadTCPFlags="{ FUP, FUP/FUP, SF/SFRA, /SFRA, F/SFRA, U/SFRAU, P, \
FS/FS,  FSRPAU, /FSRPAU }"

block in quick proto tcp all flags $BadTCPFlags


TIA,

Adam Wenzel

Re: grouped tcp flags

Re: grouped tcp flags

Re: grouped tcp flags

Re: grouped tcp flags

Re: grouped tcp flags

Re: grouped tcp flags

Re: grouped tcp flags

Re: grouped tcp flags

Re: grouped tcp flags

grouped tcp flags

10 matches

Site Navigation

Mail list logo

Footer information