Re: Various Questions on Dropping SYN Pkts

From: Allen Kistler (ackistler@yahoo.com)
Date: 12/29/02

• Next message: Paul: "Strange new behavior"
• Previous message: Michael J. McCasland: "arpsnmp input file formatting"
• In reply to: Fritz Foetzl: "Various Questions on Dropping SYN Pkts"
• Next in thread: Tim Haynes: "Re: Various Questions on Dropping SYN Pkts"
• Reply: Tim Haynes: "Re: Various Questions on Dropping SYN Pkts"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: Allen Kistler <ackistler@yahoo.com>
Date: Sun, 29 Dec 2002 05:29:06 GMT

Fritz Foetzl wrote:
> By default, iptables includes the following rules for dropping SYN
> packets from the input chain (output from "iptables -L"):
> [snip]

"By default" varies with distribution, I think.

> 1. What is the point of specifying destination ports in these rules?
> [snip]

Ports 1-1023 can only be used by services running as root.
Higher-numbered ports can be used by user processes, like ftp, which may
need to accept incoming traffic. There are some exceptions, like nfs,
xfs, and x11, which you (or your distribution) would want to block, too.

BTW, iptables has a better mechanism for tracking ftp data connections.
  These iptables rules look like translated ipchains rules.

> 2. Would DROP be a better target than REJECT, so as to provide no
> information at all back to the sender?

Probably a matter of preference. If you reset a connection, the box
sending you packets knows not to send any more and chew up your
bandwidth. OTOH, the box sending you packets can use you for a
reflected DoS attack against someone else.

> 3. Why examine the RST and ACK flags if SYN is the only flag the rule
> really cares about?

Probably hold-overs from ipchains days looking for illegal flag
combinations. You can/should do similar things with iptables, but the
examples you posted look like exclusively ipchains hold-overs.

---

• Next message: Paul: "Strange new behavior"
• Previous message: Michael J. McCasland: "arpsnmp input file formatting"
• In reply to: Fritz Foetzl: "Various Questions on Dropping SYN Pkts"
• Next in thread: Tim Haynes: "Re: Various Questions on Dropping SYN Pkts"
• Reply: Tim Haynes: "Re: Various Questions on Dropping SYN Pkts"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: choosing between ipcop and iptables ... >of another distribution and continue using the other distribution. ... >Iptables is part of any normal distribution. ... if both the distribution startup scripts and your script try ... >a small home network with multiple computers, ... (comp.os.linux.security) Re: Firewall software. ... > installation and am now preparing to go on. ... iptables is what you will need to use. ... not specify which distribution you're planning to deploy, ... Many come here seeking wisdom, ... (comp.os.linux.networking) Re: Firewall software. ... > installation and am now preparing to go on. ... iptables is what you will need to use. ... not specify which distribution you're planning to deploy, ... Many come here seeking wisdom, ... (comp.os.linux.setup) Re: choosing between ipcop and iptables ... I had never heard of ipcop before, ... of another distribution and continue using the other distribution. ... Iptables is part of any normal distribution. ... if both the distribution startup scripts and your script try ... (comp.os.linux.security) Re: Mail and Iptalbes questions ... It seems to me that your netfilter (iptables) rules are probable okay. ... probable a better questions for an email related news group. ... Based on your distribution, there are usually additional tools to tell ... (comp.os.linux.security)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > comp.os.linux.security  > 2002-12