[Bug 326191] [NEW] [wishlist] ufw enforce RFC packets

Fri, 06 Feb 2009 06:55:13 -0800 

Public bug reported:

Binary package hint: ufw

I would like to petition for adding the following rules to the default
UFW.  These rules drop all packets that make no earthly sense.  These
packets only exist from scanners (or really, really, really broken TCP
stacks), and as such are safely ignored.  Their blocking will help make
scanning Ubuntu boxes with UFW enabled that much harder.

-A CheckRFC -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP 
-A CheckRFC -p tcp -m tcp --tcp-flags ACK,URG URG -j DROP 
-A CheckRFC -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DROP 
-A CheckRFC -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP 
-A CheckRFC -p tcp -m tcp --tcp-flags FIN,SYN,RST FIN,SYN,RST -j DROP 
-A CheckRFC -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j 
DROP 
-A CheckRFC -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK 
-j DROP 
-A CheckRFC -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG 
FIN,SYN,RST,ACK,URG -j DROP 
-A CheckRFC -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG 
FIN,SYN,RST,PSH,ACK,URG -j DROP 
-A CheckRFC -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP 
-A CheckRFC -p tcp -m tcp --tcp-flags PSH,ACK PSH -j DROP 
-A CheckRFC -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP 

Not a single packet listed above is valid, but they are rather easy to
make with nmap.  Since they have no legit purpose for entering any
server, why not simply ignore them?  Since these can only be nonsense,
placing them above the RELATED,ESTABLISHED rules is safe and can also
serve to help prevent against malicious disconnects.  It is harder to
screwup someone's connection when you can only inject valid packets.
The data may still cause issues, but it is at least something.

** Affects: ufw (Ubuntu)
     Importance: Undecided
         Status: New

-- 
[wishlist] ufw enforce RFC packets
https://bugs.launchpad.net/bugs/326191
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to