--part1_123.1ff4bed3.2bb4a678_boundary Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: quoted-printable
I've been looking around the web and have found multiple instances of tcp=20 packet flags being blocked via pf rules to prevent OS detection and tcp/ip=20 stack attacks.=A0 Do any of these pf rules below block legit packets? I=20 haven't implemented any into my current firewall, but am thinking of doing=20 so. # These are supposed to foil nmap's os detection #=A0 Most frequent three flag-specific protection rules I've seen, but the=20 first is # sometimes FUP/FUP.=A0 Is there a difference between FUP and FUP/FUP flags? block in=A0 quick proto tcp all flags FUP block in=A0 quick proto tcp all flags SF/SFRA block in=A0 quick proto tcp all flags /SFRA # As mentioned on <A HREF=3D"www.sans.org/rr/firewall/building_IPv6.php">www= .sans.org/rr/firewall/building_IPv6.php</A> # Are these IPv6 specific? block in=A0 quick proto tcp all flags FS/FS block in=A0 quick proto tcp all flags FSRPAU block in=A0 quick proto tcp all flags /FSRPAU # As used in <A HREF=3D"http://216.239.39.100/search?q=3Dcache:ex2iLxHR0REC:= screamingelectron.org/phpBB2/viewtopic.php%3Ft%3D4&hl=3Den&ie=3DUTF-8">this=20= example</A> (google cache, site down or something). block in=A0 quick proto tcp all flags F/SFRA block in=A0 quick proto tcp all flags U/SFRAU block in=A0 quick proto tcp all flags P TIA Adam Wenzel --part1_123.1ff4bed3.2bb4a678_boundary Content-Type: text/html; charset="ISO-8859-1" Content-Transfer-Encoding: quoted-printable <HTML><FONT FACE=3Darial,helvetica><BODY BGCOLOR=3D"#ffffff"><FONT style= =3D"BACKGROUND-COLOR: #ffffff" SIZE=3D2 FAMILY=3D"SANSSERIF" FACE=3D"Arial"=20= LANG=3D"0">I've been looking around the web and have found multiple instance= s of tcp packet flags being blocked via pf rules to prevent OS detection and= tcp/ip stack attacks.=A0 Do any of these pf rules below block legit packets= ? I haven't implemented any into my current firewall, but am thinking=20= of doing so.<BR> <BR> # These are supposed to foil nmap's os detection<BR> #=A0 Most frequent three flag-specific protection rules I've seen, but the f= irst is<BR> # sometimes FUP/FUP.=A0 Is there a difference between FUP and FUP/FUP flags?= <BR> block in=A0 quick proto tcp all flags FUP<BR> block in=A0 quick proto tcp all flags SF/SFRA<BR> block in=A0 quick proto tcp all flags /SFRA<BR> <BR> # As mentioned on <A HREF=3D"www.sans.org/rr/firewall/building_IPv6.php">www= .sans.org/rr/firewall/building_IPv6.php</A><BR> # Are these IPv6 specific?<BR> block in=A0 quick proto tcp all flags FS/FS<BR> block in=A0 quick proto tcp all flags FSRPAU<BR> block in=A0 quick proto tcp all flags /FSRPAU<BR> <BR> # As used in <A HREF=3D"http://216.239.39.100/search?q=3Dcache:ex2iLxHR0REC:= screamingelectron.org/phpBB2/viewtopic.php%3Ft%3D4&hl=3Den&ie=3DUTF-8">this=20= example</A> (google cache, site down or something).<BR> block in=A0 quick proto tcp all flags F/SFRA<BR> block in=A0 quick proto tcp all flags U/SFRAU<BR> block in=A0 quick proto tcp all flags P<BR> <BR> <BR> TIA<BR> Adam Wenzel<BR> </FONT></HTML> --part1_123.1ff4bed3.2bb4a678_boundary--
