Re: Are these firewall rules impossible to understand?..........

Fri, 11 Mar 2005 13:22:04 -0800 

Christian Seberino wrote:

Smart firewallers drop packets based on funky TCP flag settings
that suggest they are from network sniffers and other nasties.

Many of these settings make sense, but, some are so funky I'm not
sure even reading the RFCs would have explained them.  If anyone
has any suggestions on how one can understand the wisdom of all
these rules I really want to know.  (I want to understand
EVERYTHING in my firewall script.)

For example, see these from
http://www.stearns.org/modwall/sample/tcpchk-sample


/usr/bin/sudo /sbin/iptables -N tcpchk
/usr/bin/sudo /sbin/iptables -A tcpchk -p tcp --sport 0:19 -j DROP
/usr/bin/sudo /sbin/iptables -A tcpchk -p tcp --dport 0:19 -j DROP
/usr/bin/sudo /sbin/iptables -A tcpchk -p tcp --tcp-flags ALL ACK -m state 
--state ESTABLISHED -j RETURN
/usr/bin/sudo /sbin/iptables -A tcpchk -p tcp --tcp-flags ALL ACK -m state 
--state NEW,RELATED -j DROP
/usr/bin/sudo /sbin/iptables -A tcpchk -p tcp --tcp-flags ALL PSH,ACK -m state 
--state ESTABLISHED -j RETURN
/usr/bin/sudo /sbin/iptables -A tcpchk -p tcp --tcp-flags ALL PSH,ACK -m state 
--state NEW -j RETURN
/usr/bin/sudo /sbin/iptables -A tcpchk -p tcp --tcp-flags ALL PSH,ACK -m state 
--state RELATED -j DROP
/usr/bin/sudo /sbin/iptables -A tcpchk -p tcp --tcp-flags ALL NONE -j DROP
/usr/bin/sudo /sbin/iptables -A tcpchk -p tcp --tcp-flags ALL ALL -j DROP
/usr/bin/sudo /sbin/iptables -A tcpchk -p tcp --tcp-flags SYN,FIN SYN,FIN -j 
DROP
/usr/bin/sudo /sbin/iptables -A tcpchk -p tcp --tcp-flags SYN,RST SYN,RST -j 
DROP
/usr/bin/sudo /sbin/iptables -A tcpchk -p tcp --tcp-flags RST,FIN RST,FIN -j 
DROP
/usr/bin/sudo /sbin/iptables -A tcpchk -p tcp --tcp-flags SYN,URG SYN,URG -j 
DROP
/usr/bin/sudo /sbin/iptables -A tcpchk -p tcp --tcp-flags ALL SYN,PSH -j DROP
/usr/bin/sudo /sbin/iptables -A tcpchk -p tcp --tcp-flags ALL SYN,ACK,PSH -j 
DROP
/usr/bin/sudo /sbin/iptables -A tcpchk -p tcp --tcp-flags ACK,FIN FIN -j DROP
/usr/bin/sudo /sbin/iptables -A tcpchk -p tcp --tcp-flags ACK,PSH PSH -j DROP
/usr/bin/sudo /sbin/iptables -A tcpchk -p tcp --tcp-flags ACK,URG URG -j DROP
/usr/bin/sudo /sbin/iptables -A tcpchk -p tcp --tcp-flags ALL RST -m state 
--state ESTABLISHED -j RETURN
/usr/bin/sudo /sbin/iptables -A tcpchk -p tcp --tcp-flags ALL RST -m state 
--state NEW,RELATED -j DROP
/usr/bin/sudo /sbin/iptables -A tcpchk -p tcp --tcp-flags SYN,ACK NONE -j DROP
/usr/bin/sudo /sbin/iptables -A tcpchk -p tcp --tcp-flags ALL SYN -m state 
--state NEW -j RETURN
/usr/bin/sudo /sbin/iptables -A tcpchk -p tcp --tcp-flags ALL SYN -m state 
--state RELATED -j RETURN
/usr/bin/sudo /sbin/iptables -A tcpchk -p tcp --tcp-flags ALL SYN -m state 
--state ESTABLISHED -j DROP
/usr/bin/sudo /sbin/iptables -A tcpchk -p tcp --tcp-flags ALL SYN,ACK -m state 
--state ESTABLISHED -j RETURN
/usr/bin/sudo /sbin/iptables -A tcpchk -p tcp --tcp-flags ALL SYN,ACK -m state 
--state NEW,RELATED -j DROP
/usr/bin/sudo /sbin/iptables -A tcpchk -p tcp --tcp-flags ALL FIN,ACK -m state 
--state ESTABLISHED -j RETURN
/usr/bin/sudo /sbin/iptables -A tcpchk -p tcp --tcp-flags ALL FIN,ACK -m state 
--state NEW,RELATED -j DROP
/usr/bin/sudo /sbin/iptables -A tcpchk -p tcp --tcp-flags ALL RST,ACK -m state 
--state ESTABLISHED -j RETURN
/usr/bin/sudo /sbin/iptables -A tcpchk -p tcp --tcp-flags ALL RST,ACK -m state 
--state NEW -j RETURN
/usr/bin/sudo /sbin/iptables -A tcpchk -p tcp --tcp-flags ALL RST,ACK -m state 
--state RELATED -j DROP
/usr/bin/sudo /sbin/iptables -A tcpchk -p tcp --tcp-flags ALL ACK,PSH,RST -m 
state --state ESTABLISHED -j RETURN
/usr/bin/sudo /sbin/iptables -A tcpchk -p tcp --tcp-flags ALL ACK,PSH,RST -m 
state --state NEW,RELATED -j DROP
/usr/bin/sudo /sbin/iptables -A tcpchk -p tcp --tcp-flags ALL FIN,PSH,ACK -m 
state --state ESTABLISHED -j RETURN
/usr/bin/sudo /sbin/iptables -A tcpchk -p tcp --tcp-flags ALL FIN,PSH,ACK -m 
state --state NEW,RELATED -j DROP
/usr/bin/sudo /sbin/iptables -A tcpchk -p tcp --tcp-flags ALL RST,ACK,PSH
/usr/bin/sudo /sbin/iptables -A tcpchk -p tcp --tcp-flags ALL RST,ACK,URG
/usr/bin/sudo /sbin/iptables -A tcpchk -p tcp --tcp-flags ALL RST,ACK,PSH,URG
/usr/bin/sudo /sbin/iptables -A tcpchk -p tcp --tcp-flags ALL FIN,PSH,ACK,URG
/usr/bin/sudo /sbin/iptables -A tcpchk -p tcp --tcp-flags ALL ACK,URG
/usr/bin/sudo /sbin/iptables -A tcpchk -p tcp --tcp-flags ALL ACK,URG,FIN
/usr/bin/sudo /sbin/iptables -A INPUT -i ! lo -p tcp -j tcpchk
/usr/bin/sudo /sbin/iptables -A FORWARD -p tcp -j tcpchk
/usr/bin/sudo /sbin/iptables -A OUTPUT -p tcp -j tcpchk



I'm skeptical ANYONE really understands all of these.  The ones that really bug 
me are the ones that insist that all FIN, PSH and URG packets
must have ACK set.  Who would have know that?

e.g. /usr/bin/sudo /sbin/iptables -A tcpchk -p tcp --tcp-flags ACK,FIN
FIN -j DROP


Chris



I don't have time right now to go over this in detail, but these all appear to be one form or another of tcp stealth scan or illegitimate tcp packet used in either a DOS or DRDOS. The idea is that just because icmp messages say there's no copmuter at a scanned address doesn't mean that's true. Sending a packaet with the FIN and PSH or FIN and RST bits set may get a response that wouldn't happen if there were really no computer at that destination. Therefore, any packet that has bits set that wouldn't occur in a normal tcp exchange is regarded as suspect and dropped. The ACK,FIN test you site is meant to block a stealth scan called a xmastree scan by implicitly blocking packates containing FIN-PSH-URG, FIN-PSH, or FIN-URG bits set without the expected ACK bit set.

Obviously incomplete explanation, but, hopefully, helpful.

Robert Donovan
--
[email protected]
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list

Reply via email to