netfilter bypassed by nessus using UDP packets with source port 53

R. DuFresne dufresne at
Fri Apr 1 20:08:32 CEST 2005

Hash: SHA1


>> Speaking of your ruleset, what's the point of :
>>> -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
>> Linux treats SYN/FIN packets as SYN ones, just as it should be on any
>> RFC compliant stack.
> nessus told me something like that :
> "the remote host does not discard TCP SYN packet which have FIN flag
> set. This can allow an attacker to defeat your firewall rules set"
> According to you, this is a false positive, thanks for your correction :)

The advice or the porition posted to you on this might not be totally 
correct, if linux indeed does this poor stack behaviour, it is corrected 
by droppping INVALID packets, I know I tested with various tools to 
determine how well thpse drop INVALID rules work.  INVALID drops also drop 
packets whence no flags are set, like a default hping packet.  So, folks 
using INVALID drops will find some of their firewall testing tools failing 
as well.

As this can break some poorly designed apps and windows based protocols, 
it's best to log these first, then drop so one has a record of what's 
happening should something start to fail after invoking the drop INVALID 


Ron DuFresne
- -- 
         admin & senior security consultant:

...Love is the ultimate outlaw.  It just won't adhere to rules.
The most any of us can do is sign on as it's accomplice.  Instead
of vowing to honor and obey, maybe we should swear to aid and abet.
That would mean that security is out of the question.  The words
"make" and "stay" become inappropriate.  My love for you has no
strings attached.  I love you for free...
                         -Tom Robins <Still Life With Woodpecker>
Version: GnuPG v1.2.4 (GNU/Linux)


More information about the netfilter mailing list