Re: Iptables doesn't block SYN-FIN packets?

["Fabio Pietrosanti (naif)" <naif () sikurezza org>]

I wrote down some rules to block commonly used port-scanning technique.
The rules are below:

$IPTABLES -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG \
           --log-prefix "NMAP-XMAS SCAN:" --log-tcp-options --log-ip-options

$IPTABLES -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j LOG \
           --log-prefix "NMAP-NULL SCAN:" --log-tcp-options --log-ip-options

$IPTABLES -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j LOG \
           --log-prefix "SYN/RST SCAN:" --log-tcp-options --log-ip-options

$IPTABLES -t mangle -A PREROUTING -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG \
           --log-prefix "SYN/FIN SCAN:" --log-tcp-options --log-ip-options

$IPTABLES -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPTABLES -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP
$IPTABLES -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPTABLES -t mangle -A PREROUTING -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

Regards


--
Fabio Pietrosanti ( naif )
E-mail: naif () sikurezza org - naif () blackhats it
PGP Key (DSS) http://naif.itapac.net/naif.asc
--
 "Hacking is the future of security research" R.Power, CSI 
Free advertising: www.openbsd.org Multiplatform Ultra-secure OS

On Thu, Jan 31, 2002 at 10:42:12AM -0600, Ascent - Compton, Richard wrote:
> Hello, 
> I'm running an iptables firewall and I thought that everything was well but
> my snort logs are recording SYN-FIN portscans getting through.  
> I have two questions:
> Is anyone here familiar with the problem of iptables not blocking SYN-FIN
> packets?  
> Nmap doesn't seem to do SYN-FIN scans. Is there a portscanner that you guys
> know about that I could use to test the effectiveness of my firewall?
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards