netfilter bypassed by nessus using UDP packets with source port
dufresne at sysinfo.com
Fri Apr 1 20:08:32 CEST 2005
-----BEGIN PGP SIGNED MESSAGE-----
>> Speaking of your ruleset, what's the point of :
>>> -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
>> Linux treats SYN/FIN packets as SYN ones, just as it should be on any
>> RFC compliant stack.
> nessus told me something like that :
> "the remote host does not discard TCP SYN packet which have FIN flag
> set. This can allow an attacker to defeat your firewall rules set"
> According to you, this is a false positive, thanks for your correction :)
The advice or the porition posted to you on this might not be totally
correct, if linux indeed does this poor stack behaviour, it is corrected
by droppping INVALID packets, I know I tested with various tools to
determine how well thpse drop INVALID rules work. INVALID drops also drop
packets whence no flags are set, like a default hping packet. So, folks
using INVALID drops will find some of their firewall testing tools failing
As this can break some poorly designed apps and windows based protocols,
it's best to log these first, then drop so one has a record of what's
happening should something start to fail after invoking the drop INVALID
admin & senior security consultant: sysinfo.com
...Love is the ultimate outlaw. It just won't adhere to rules.
The most any of us can do is sign on as it's accomplice. Instead
of vowing to honor and obey, maybe we should swear to aid and abet.
That would mean that security is out of the question. The words
"make" and "stay" become inappropriate. My love for you has no
strings attached. I love you for free...
-Tom Robins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
-----END PGP SIGNATURE-----
More information about the netfilter