Clever Firewall Rules - Second Edition - Update

From: Rob 'Feztaa' Park (fezziker@home.com)
Date: 09/19/01


Date: Tue, 18 Sep 2001 16:03:15 -0600 (MDT)
From: Rob 'Feztaa' Park <fezziker@home.com>
To: Bugtraq - Focus Linux <focus-linux@securityfocus.com>
Subject: Clever Firewall Rules - Second Edition - Update
Message-ID: <Pine.LNX.4.33L2.0109181552570.1363-100000@feztron.ath.cx>

Just a quick update, I don't want to send out the whole thing again.

I've managed to get my SYN limiting rules to filter the closed ports,
eliminating the problem of ports randomly flickering between closed and
filtered during a SYN scan:

iptables -A INPUT -i eth0 -p tcp --syn -m limit --limit 10/m \
     --limit-burst 10 -j syn_limit
iptables -A INPUT -i eth0 -p tcp --syn -j DROP
iptables -A syn_limit -p tcp --dport 80 -j ACCEPT
[Rules for opening any other ports you need]
iptables -A syn_limit -p tcp -j DROP

If I can, I'm going to make the limiting host-specific. As I mentioned
before, somebody who wanted to prevent access to my webserver could just
continually SYN scan me - the only way of fixing this is to limit SYN
packets on a per-host basis. That way people can SYN scan me until the
cows come home and find nothing, while people sending single, legitimate
SYN packets to my webserver can get in.

The rest of my rules have stayed pretty much the same.

-- 
Rob 'Feztaa' Park
fezziker@home.com
ICQ#: 49781692
:wq!



Relevant Pages

  • Re: Clever Firewall Rules, Second Edition
    ... >TCP connect scan doesn't see which ports of mine are open (yes, ... vulnerable to slow scanning (such in large, widespread, interleaved ... Which is the main reason I'd recommend *against* the rules... ... >ban everybody who floods me with SYN packets, ...
    (Focus-Linux)
  • Re: [Full-disclosure] Crafted SYN Packets...
    ... SYN packets and ports do not correlate. ... You mean SYN is TCP *only*, ...
    (Full-Disclosure)
  • Re: Strange NMAP 4.0 Behavior
    ... version 4.00 that it seems to be including a SYN scan on all Service ... ports scan as part of this scan type. ... Audit your website security with Acunetix Web Vulnerability Scanner: ... Cross site scripting and other web attacks before hackers do! ...
    (Pen-Test)
  • Re: [Full-disclosure] Crafted SYN Packets...
    ... SYN packets and ports do not correlate. ... And yes, SYN is TCP. ...
    (Full-Disclosure)
  • Re: Linksys Router Security Alert!
    ... >didn't care if there was any ACKs or RSTs being returned (a simple SYN ... >and I have firewall dropping your packets" response. ... You are saying that if my firewall has all ports set to stealth ... while the "stealth" concept initially seemed ...
    (comp.security.firewalls)