[luau] Quick and dirty ipfilter question
Vince Hoang
luau at ml.altern8.net
Thu Dec 5 22:36:00 PST 2002
On Thu, Dec 05, 2002 at 05:15:23PM -1000, Dustin Cross wrote:
> # Flags S/SA only allows packets with the SYN and SYNACK flags set
> # This prevents many forms of portscanning such as FIN scanning
> pass in log quick on eth0 proto tcp from 63.13.13.2/32 to eth0/32 port = 22
> flags S/SA keep state
> pass in log quick on eth0 proto tcp from 192.168.0.0/24 to eth0/32 port =
> 22 flags S/SA keep state
I think the rules should read 'flag S keep state'. Otherwise, you
become vulerable to SYN|ACK spoofing. You only want to save state
when you are estabilishing the TCP session, which is SYN only.
The same theory applies iptables.
> # Flags S ensures state tracking only on the first outbound tcp packet
> pass out quick on eth0 proto tcp from any to any flags S keep state
Perfect.
-Vince
More information about the LUAU
mailing list