Thanks for your research into the kernel source, it was most helpful in
determining what INVALID does (as you mentioned the man pages are a bit
vague there).
--
block invalid combinations of TCP flags
https://bugs.launchpad.net/bugs/323950
You received this bug notification because you are a memb
The following lines were put into /etc/ufw/before.rules to address invalid
combinations of tcp flags in the first place:
# drop INVALID packets (logs these in loglevel medium and higher)
-A ufw-before-input -m state --state INVALID -j ufw-logging-deny
-A ufw-before-input -m state --state INVALID -
** Changed in: ufw
Status: Confirmed => Triaged
** Changed in: ufw (Ubuntu)
Status: Confirmed => Triaged
** Changed in: ufw (Ubuntu)
Milestone: None => ubuntu-10.04
--
block invalid combinations of TCP flags
https://bugs.launchpad.net/bugs/323950
You received this bug notifica
Got it, looks good.
On Fri, Nov 20, 2009 at 5:18 PM, PatRiehecky wrote:
> I believe I built the patch to update both rule sets I may have
> botched it (and it wouldn't be the first time I've done that), but my
> intent was for the first section to update IPv6 and the second to do v4.
>
> --
>
I believe I built the patch to update both rule sets I may have
botched it (and it wouldn't be the first time I've done that), but my
intent was for the first section to update IPv6 and the second to do v4.
--
block invalid combinations of TCP flags
https://bugs.launchpad.net/bugs/323950
You
These rules can be applied to ipv6 connections also (switch iptables
to ip6table).
On Fri, Nov 13, 2009 at 12:05 PM, PatRiehecky wrote:
> I figured I would put forth a patch to implement the simplest starting
> ground. Established connections aren't overly protected by this (there
> are some eas
They look very reasonable - great job!
On Fri, Nov 13, 2009 at 12:05 PM, PatRiehecky wrote:
> I figured I would put forth a patch to implement the simplest starting
> ground. Established connections aren't overly protected by this (there
> are some easy things to do), but a basic bad flags scan
I figured I would put forth a patch to implement the simplest starting
ground. Established connections aren't overly protected by this (there
are some easy things to do), but a basic bad flags scan will be blocked.
** Attachment added: "Basic bad flags block"
http://launchpadlibrarian.net/3565
** Also affects: ufw (Ubuntu)
Importance: Undecided
Status: New
** Changed in: ufw
Status: New => Confirmed
** Changed in: ufw (Ubuntu)
Status: New => Confirmed
** Changed in: ufw (Ubuntu)
Importance: Undecided => Wishlist
--
block invalid combinations of TCP flags
h