[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

pf & potentially harmful packets' tcp flags



--part1_123.1ff4bed3.2bb4a678_boundary
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
I've been looking around the web and have found multiple instances of tcp=20
packet flags being blocked via pf rules to prevent OS detection and tcp/ip=20
stack attacks.=A0 Do any of these pf rules below block legit packets?  I=20
haven't implemented any into my current firewall, but am thinking of doing=20
so.
# These are supposed to foil nmap's os detection
#=A0 Most frequent three flag-specific protection rules I've seen, but the=20
first is
# sometimes FUP/FUP.=A0 Is there a difference between FUP and FUP/FUP flags?
block in=A0 quick proto tcp all flags FUP
block in=A0 quick proto tcp all flags SF/SFRA
block in=A0 quick proto tcp all flags /SFRA
# As mentioned on <A HREF=3D"www.sans.org/rr/firewall/building_IPv6.php">www=
.sans.org/rr/firewall/building_IPv6.php</A>
# Are these IPv6 specific?
block in=A0 quick proto tcp all flags FS/FS
block in=A0 quick proto tcp all flags FSRPAU
block in=A0 quick proto tcp all flags /FSRPAU
# As used in <A HREF=3D"http://216.239.39.100/search?q=3Dcache:ex2iLxHR0REC:=
screamingelectron.org/phpBB2/viewtopic.php%3Ft%3D4&hl=3Den&ie=3DUTF-8">this=20=
example</A> (google cache, site down or something).
block in=A0 quick proto tcp all flags F/SFRA
block in=A0 quick proto tcp all flags U/SFRAU
block in=A0 quick proto tcp all flags P
TIA
Adam Wenzel
--part1_123.1ff4bed3.2bb4a678_boundary
Content-Type: text/html; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
<HTML><FONT FACE=3Darial,helvetica><BODY BGCOLOR=3D"#ffffff"><FONT  style=
=3D"BACKGROUND-COLOR: #ffffff" SIZE=3D2 FAMILY=3D"SANSSERIF" FACE=3D"Arial"=20=
LANG=3D"0">I've been looking around the web and have found multiple instance=
s of tcp packet flags being blocked via pf rules to prevent OS detection and=
 tcp/ip stack attacks.=A0 Do any of these pf rules below block legit packets=
?&nbsp; I haven't implemented any into my current firewall, but am thinking=20=
of doing so.<BR>
<BR>
# These are supposed to foil nmap's os detection<BR>
#=A0 Most frequent three flag-specific protection rules I've seen, but the f=
irst is<BR>
# sometimes FUP/FUP.=A0 Is there a difference between FUP and FUP/FUP flags?=
<BR>
block in=A0 quick proto tcp all flags FUP<BR>
block in=A0 quick proto tcp all flags SF/SFRA<BR>
block in=A0 quick proto tcp all flags /SFRA<BR>
<BR>
# As mentioned on <A HREF=3D"www.sans.org/rr/firewall/building_IPv6.php">www=
.sans.org/rr/firewall/building_IPv6.php</A><BR>
# Are these IPv6 specific?<BR>
block in=A0 quick proto tcp all flags FS/FS<BR>
block in=A0 quick proto tcp all flags FSRPAU<BR>
block in=A0 quick proto tcp all flags /FSRPAU<BR>
<BR>
# As used in <A HREF=3D"http://216.239.39.100/search?q=3Dcache:ex2iLxHR0REC:=
screamingelectron.org/phpBB2/viewtopic.php%3Ft%3D4&hl=3Den&ie=3DUTF-8">this=20=
example</A> (google cache, site down or something).<BR>
block in=A0 quick proto tcp all flags F/SFRA<BR>
block in=A0 quick proto tcp all flags U/SFRAU<BR>
block in=A0 quick proto tcp all flags P<BR>
<BR>
<BR>
TIA<BR>
Adam Wenzel<BR>
</FONT></HTML>
--part1_123.1ff4bed3.2bb4a678_boundary--