Re: is it possible to block ip packets that contains experimental tcp op

NetFilter

Re: is it possible to block ip packets that contains experimental tcp op

To:	netfilter@lists.netfilter.org
Subject:	Re: is it possible to block ip packets that contains experimental tcp options ?
From:	Pascal Hambourg <pascal.mail@plouf.fr.eu.org>
Date:	Mon, 21 May 2007 20:27:15 +0200
Delivered-to:	sp-com-lists@consult.net
Delivered-to:	netfilter-list1@securepoint.com
In-reply-to:	<1179747134.32083.19.camel@bathory.webcat.no>
List-archive:	</pipermail/netfilter>
List-help:	<mailto:netfilter-request@lists.netfilter.org?subject=help>
List-id:	General discussion and user questions <netfilter.lists.netfilter.org>
List-post:	<mailto:netfilter@lists.netfilter.org>
List-subscribe:	<https://lists.netfilter.org/mailman/listinfo/netfilter>, <mailto:netfilter-request@lists.netfilter.org?subject=subscribe>
List-unsubscribe:	<https://lists.netfilter.org/mailman/listinfo/netfilter>, <mailto:netfilter-request@lists.netfilter.org?subject=unsubscribe>
Organization:	Plouf !
References:	<F163413C9250D211A55C0060979D5280016AB361@hertz.rad.nd.edu> <1179747134.32083.19.camel@bathory.webcat.no>
Sender:	netfilter-bounces@lists.netfilter.org
User-agent:	Mozilla Thunderbird 1.0.6 (Windows/20050716)

Hello,

Glenn Terjesen a écrit :

What i meant with "experimental tcp options" is that my ids (snort)
keept logging these "experimental tcp options"

#
code 76
length 8
data 01019DEDBEF00005

I know this aint a snort list, but my servers don't serve any services
that require this kind of traffic.

So i was wondering if iptables has any way of blocking these.

If you have a black list of options you want to drop (or a white list ofallowed options), what about the "--tcp-option" option of the "tcp" match ?

These to magic lines fixed it all
iptables -A FORWARD -p tcp --tcp-flags ALL ALL -j DROP
iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP

I wonder how these rules could drop packets according to TCP options.TCP flag combinations are not TCP options.

[More with this subject...]

<Prev in Thread]	Current Thread	[Next in Thread>
RE: is it possible to block ip packets that contains experimental tcp options ?, Marc Cozzi RE: is it possible to block ip packets that contains experimental tcp options ?, Jan Engelhardt RE: is it possible to block ip packets that contains experimentaltcp options ?, Paul Blondé RE: is it possible to block ip packets that contains experimental tcp options ?, Marc Cozzi RE: is it possible to block ip packets that contains experimentaltcp options ?, Paul Blondé RE: is it possible to block ip packets that contains experimental tcp options ?, Glenn Terjesen RE: is it possible to block ip packets that contains experimental tcp options ?, Glenn Terjesen Re: is it possible to block ip packets that contains experimental tcp options ?, Pascal Hambourg <= Re: is it possible to block ip packets that contains experimental tcp options ?, Glenn Terjesen

Previous by Date:	Conntrack rule timeout problem, Pat Riehecky
Next by Date:	iptables doesn't keep chain list after reboot, TheNokia
Previous by Thread:	RE: is it possible to block ip packets that contains experimental tcp options ?, Glenn Terjesen
Next by Thread:	Re: is it possible to block ip packets that contains experimental tcp options ?, Glenn Terjesen
Indexes:	[Date] [Thread] [Top] [All Lists]