=?utf-8?B?UkU6IENoYWlucyBxdWVzdGlvbg==?=

Thu, 21 Jun 2001 06:10:59 -0700 

as tobias has pointed out to me, the first line here
is misleading at best, it should read something along
the lines of...

the ! -y flag does match packets only without the LONE syn bit set.

i.e. the syn bit by it's self

Sorry if this caused any confusion.

-----Original Message-----
From: Jamie Swithenbank [mailto:[EMAIL PROTECTED]]
Sent: 21 June 2001 09:44
To: Scott H
Cc: [EMAIL PROTECTED]
Subject: RE: Chains question


the ! -y flag does match packets only without the syn bit set.

The SYN Flag is used in the initial phase of the so called 'three-way
handshake' where it is used by the system requesting a TCP connection.

you will commonly set this on the input chain to specifically inhibit
INCOMING
TCP SYN requests, i.e. stop an incomming TCP connection on those ports,
however, as long as you do not place the rule on the output chain this
does not interfere with the three-way-handshake of outbound connections
from the local system, basically if placed only on the input chain
it stops inbound TCP connections on the specified ports, while allowing
the init of outbound TCP connections.

The flag is fairly common to be used on unpriviledged(>1024) ports, where,
although
you often MUST allow connections(if you wish to run client apps, and some
servers, on 
the firewall), you only want them to be outbound.

I Would say, unless its on the output or forward chains, then it's not a
mistake.

Hope this helps. 

-----Original Message-----
From: Scott H [mailto:[EMAIL PROTECTED]]
Sent: 21 June 2001 01:47
To: [EMAIL PROTECTED]
Subject: Chains question


Thanks, that makes sense...  Now how about the ! -y option for TCP?  It
just makes sure the Ack flag is set on incomming TCP right?  How will
this affect things?
 
What about UDP?  
 
The firewall is masquerading my access the net so if some one where to
run an exploit against the firewall's TCP or UDP ports they would get no
where right?
 
 
-----Original Message----- 
From: Wil Cooley [ mailto:[EMAIL PROTECTED]] 
Sent: Wednesday, June 20, 2001 5:10 PM 
To: Scott H 
Cc: [EMAIL PROTECTED] 
Subject: Re: Chains question 


        Thus spake Scott H: 
        > In many IPchains scripts I see ports above 1024 set to accept
in-bound 
        > traffic on TCP and UDP.  There is usually a comment to the
effect of 
        > ports above 1024 are fair game.  Could some one explain why
this is 
        > considered to be ok?  In my case I am using a linux firewall 
        for my home 
        > network. 

        You need to allow ports above 1024 to be connected to if you're
going 
        to be running any clients on the firewall, like SSH.  What
happens is 
        that a client requests a randomly-assigned high port that forms
the 
        local end of the connection. 

        Wil 
        -- 
        W. Reilly Cooley                           [EMAIL PROTECTED] 
        Naked Ape Consulting                        http://nakedape.cc 
        LNXS: Get 0.2.0-devel at http://sourceforge.net/projects/lnxs/ 
        irc.openprojects.net                                     #lnxs 

        "The only way for a reporter to look at a politician is down." 
        -- H.L. Mencken 

*ef)+-*ieX'i޶mlv٨+-w{


======================================================SPI Europe Ltd
10 Parkgate
Little Germany
Bradford BD1 5BS
Tel: 01274 701150
Fax: 01274 701160
======================================================______________________
_________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls


======================================================SPI Europe Ltd
10 Parkgate
Little Germany
Bradford BD1 5BS
Tel: 01274 701150
Fax: 01274 701160
======================================================_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls

Reply via email to