I have a "new not syn" packet needed

Bruno Negrão Bruno Negrão
Thu, 3 Jan 2002 11:18:20 -0200 

This is a multi-part message in MIME format.

------=_NextPart_000_0023_01C19448.59CDCBE0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Jim, thank you for answering me.

But I don't know what you mean about "2002 prefix". What's this? Maybe I =
use it and don't know....
  ----- Original Message -----=20
  From: Jim Fleming=20
  To: Bruno Negr=E3o=20
  Sent: Thursday, January 03, 2002 2:00 PM
  Subject: Re: I have a "new not syn" packet needed



  Do you use a 2002 prefix ?

  Jim Fleming
  2002:[IPv4]:000X:03DB
  http://www.IPv8.info


    ----- Original Message -----=20
    From: Bruno Negr=E3o=20
    To: netfilter@lists.samba.org=20
    Sent: Thursday, January 03, 2002 5:04 AM
    Subject: I have a "new not syn" packet needed


    Hy all,

    I have configured my iptables rules to block every  new not syn =
packet. The rule is:
    iptables -A OUTPUT -p tcp ! --syn -m state --state NEW -j DROP.

    The problem is that there is some sites that I can't browse from my =
firewall box. (for example, the "login" page in the redhat's site).
    I read in the iptables Tutorial that "new not syn" packets are not =
used in the standard implementations.

    Could someone give me some opinions about this subject? How must I =
proceed?(do I block all new not syn packets?)
    Also, could someone explain me what is the syn bit?
    Bellow is the log of the dropped new not syn packet originated from =
my firewall (SRC=3D200.195.39.14):

    Jan  3 16:27:20 15bis kernel: New not syn:IN=3D OUT=3Deth0 =
SRC=3D200.195.39.14 DST=3D216.148.218.197 LEN=3D40 TOS=3D0x00 =
PREC=3D0x00 TTL=3D64 ID=3D5376 PROTO=3DTCP SPT=3D1035 DPT=3D80 =
WINDOW=3D6432 RES=3D0x00 ACK PSH FIN URGP=3D0=20

    Thank you,
    -----------------------------------------------
     -- Bruno Negr=E3o -- Suporte
     -- Plugway Acesso Internet Ltda.
     -- (31)34812311
     -- bnegrao@plugway.com.br


------=_NextPart_000_0023_01C19448.59CDCBE0
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 5.50.4912.300" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>Jim, thank you for answering =
me.</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>But I don't know what you mean about =
"2002 prefix".=20
What's this? Maybe I use it and don't know....</FONT></DIV>
<BLOCKQUOTE dir=3Dltr=20
style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =
BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
  <DIV style=3D"FONT: 10pt arial">----- Original Message ----- </DIV>
  <DIV=20
  style=3D"BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: =
black"><B>From:</B>=20
  <A title=3Djfleming@anet.com href=3D"mailto:jfleming@anet.com">Jim =
Fleming</A>=20
  </DIV>
  <DIV style=3D"FONT: 10pt arial"><B>To:</B> <A =
title=3Dbnegrao@engepel.com.br=20
  href=3D"mailto:bnegrao@engepel.com.br">Bruno Negr=E3o</A> </DIV>
  <DIV style=3D"FONT: 10pt arial"><B>Sent:</B> Thursday, January 03, =
2002 2:00=20
  PM</DIV>
  <DIV style=3D"FONT: 10pt arial"><B>Subject:</B> Re: I have a "new not =
syn"=20
  packet needed</DIV>
  <DIV><BR></DIV>
  <DIV>&nbsp;</DIV>
  <DIV>Do you use a 2002 prefix ?</DIV>
  <DIV>&nbsp;</DIV>
  <DIV>Jim Fleming<BR>2002:[IPv4]:000X:03DB<BR><A=20
  href=3D"http://www.IPv8.info">http://www.IPv8.info</A></DIV>
  <DIV>&nbsp;</DIV>
  <DIV>&nbsp;</DIV>
  <BLOCKQUOTE=20
  style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =
BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
    <DIV style=3D"FONT: 10pt arial">----- Original Message ----- </DIV>
    <DIV=20
    style=3D"BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: =
black"><B>From:</B>=20
    <A title=3Dbnegrao@engepel.com.br =
href=3D"mailto:bnegrao@engepel.com.br">Bruno=20
    Negr=E3o</A> </DIV>
    <DIV style=3D"FONT: 10pt arial"><B>To:</B> <A =
title=3Dnetfilter@lists.samba.org=20
    =
href=3D"mailto:netfilter@lists.samba.org">netfilter@lists.samba.org</A> =
</DIV>
    <DIV style=3D"FONT: 10pt arial"><B>Sent:</B> Thursday, January 03, =
2002 5:04=20
    AM</DIV>
    <DIV style=3D"FONT: 10pt arial"><B>Subject:</B> I have a "new not =
syn" packet=20
    needed</DIV>
    <DIV><BR></DIV>
    <DIV><FONT face=3DArial size=3D2><FONT face=3D"Times New Roman" =
size=3D3><FONT=20
    face=3DArial size=3D2>Hy all,</FONT></FONT></FONT></DIV>
    <DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
    <DIV><FONT face=3DArial size=3D2>I have configured my iptables rules =
to block=20
    every&nbsp; new not syn packet. The rule is:</FONT></DIV>
    <DIV><FONT face=3DArial color=3D#0000ff size=3D2>iptables -A OUTPUT =
-p tcp !=20
    --syn&nbsp;-m state --state NEW -j DROP.</FONT></DIV>
    <DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
    <DIV><FONT face=3DArial size=3D2>The problem is that there is some =
sites that I=20
    can't browse from my firewall box. (for example, the "login" page in =
the=20
    redhat's site).</FONT></DIV>
    <DIV><FONT face=3DArial size=3D2>I read in the <A=20
    =
href=3D"http://www.boingworld.com/workshops/linux/iptables-tutorial/iptab=
les-tutorial/iptables-tutorial.html#AEN1441">iptables=20
    Tutorial</A>&nbsp;that "new not syn" packets are not used in the =
standard=20
    implementations.</FONT></DIV>
    <DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
    <DIV><FONT face=3DArial size=3D2>Could someone give me some opinions =
about this=20
    subject? How must I proceed?(do I block all new not syn=20
    packets?)</FONT></DIV>
    <DIV><FONT face=3DArial size=3D2>Also, could someone explain me =
what&nbsp;is the=20
    syn bit?</DIV>
    <P class=3DMsoPlainText><SPAN=20
    style=3D"mso-fareast-font-family: 'MS Mincho'">Bellow is the log of =
the=20
    dropped new not syn packet originated from my firewall=20
    (SRC=3D200.195.39.14):</SPAN></P>
    <P class=3DMsoPlainText><SPAN=20
    style=3D"mso-fareast-font-family: 'MS Mincho'"><FONT =
color=3D#0000ff>Jan<SPAN=20
    style=3D"mso-spacerun: yes">&nbsp; </SPAN>3 16:27:20 15bis kernel: =
New not=20
    syn:IN=3D OUT=3Deth0 SRC=3D200.195.39.14 DST=3D216.148.218.197 =
LEN=3D40 TOS=3D0x00=20
    PREC=3D0x00 TTL=3D64 ID=3D5376 PROTO=3DTCP SPT=3D1035 DPT=3D80 =
WINDOW=3D6432 RES=3D0x00 ACK=20
    PSH FIN URGP=3D0 </FONT></SPAN></P>
    <P class=3DMsoPlainText><SPAN=20
    style=3D"mso-fareast-font-family: 'MS Mincho'">Thank=20
    you,<BR></SPAN></FONT><FONT face=3DArial=20
    size=3D2>-----------------------------------------------<BR>&nbsp;-- =
Bruno=20
    Negr=E3o -- Suporte<BR>&nbsp;-- Plugway Acesso Internet =
Ltda.<BR>&nbsp;--=20
    (31)34812311<BR>&nbsp;-- <A=20
    =
href=3D"mailto:bnegrao@plugway.com.br">bnegrao@plugway.com.br</A></FONT><=
/P></BLOCKQUOTE></BLOCKQUOTE></BODY></HTML>

------=_NextPart_000_0023_01C19448.59CDCBE0--