[Firehol-support] possible problem with 'malformed-bad'

Costa Tsaousis costa at tsaousis.gr
Sat Mar 6 01:20:32 GMT 2004


>> Added this in v1.180 in the CVS.
> This is a subset of SYN,RST SYN,RST, too, so you can remove it.
> Seems as if that rule didn't make it to my brain :)

You are right. I have removed it :)

> There may be another problem: Detecting which OS and/or OS version
> is used on a host behind the firewall, depending on the reaction to
> a tcp package with bad flags. At least nessus complains about this
> when scanning the firewall, so there is at least the threat of a
> false positive.

Of course! This is another reason for having those malformed packets matches.


More information about the Firehol-support mailing list