[Firehol-support] possible problem with 'malformed-bad'
Thomas Arendsen Hein
thomas at intevation.de
Tue Mar 2 18:07:12 GMT 2004
Hi!
The rules in firehol.sh for 'malformed-bad' catch anything matching
this:
--tcp-flags FIN,SYN FIN,SYN
--tcp-flags SYN,RST SYN,RST
--tcp-flags ALL FIN,SYN,RST,ACK,URG
--tcp-flags ALL FIN,PSH,URG
I think these may be bad, too:
--tcp-flags SYN,RST,ACK SYN,RST
--tcp-flags SYN,RST,PSH,ACK,URG SYN,RST,PSH,URG
and probably more ...
Here are some links discussing this topic:
http://archives.neohapsis.com/archives/bugtraq/2002-10/0266.html
http://www.kb.cert.org/vuls/id/464113
http://cgi.nessus.org/bid.php3?bid=7487
Would it be feasible to use the usual firewall policy here, i.e.
allow only known good combinations, deny everything else?
Will this break some existing (buggy) TCP stacks?
Thomas
--
Email: thomas at intevation.de
http://intevation.de/~thomas/
More information about the Firehol-support
mailing list