[Firehol-support] possible problem with 'malformed-bad'

Thomas Arendsen Hein thomas at intevation.de
Tue Mar 2 18:07:12 GMT 2004


Hi!

The rules in firehol.sh for 'malformed-bad' catch anything matching
this:

--tcp-flags FIN,SYN FIN,SYN
--tcp-flags SYN,RST SYN,RST
--tcp-flags ALL FIN,SYN,RST,ACK,URG
--tcp-flags ALL FIN,PSH,URG

I think these may be bad, too:
--tcp-flags SYN,RST,ACK SYN,RST
--tcp-flags SYN,RST,PSH,ACK,URG SYN,RST,PSH,URG
and probably more ...

Here are some links discussing this topic:
http://archives.neohapsis.com/archives/bugtraq/2002-10/0266.html
http://www.kb.cert.org/vuls/id/464113
http://cgi.nessus.org/bid.php3?bid=7487

Would it be feasible to use the usual firewall policy here, i.e.
allow only known good combinations, deny everything else?
Will this break some existing (buggy) TCP stacks?

Thomas

-- 
Email: thomas at intevation.de
http://intevation.de/~thomas/




More information about the Firehol-support mailing list