Snort mailing list archives
Re: Supper Firewall setup with IPFILTER and SNORT
From: Phil Dibowitz <phil () ipom com>
Date: Sat, 23 Nov 2002 14:13:45 -0800
Jim Sandoz wrote:
nathan, your ipfilter ruleset is lacking in several areas, and in particular the following line:block return-rst in log quick on fxp0 proto tcp from any to anyis going to cause you many problems when out-of-order tcp packets arrive at your external interface. see the IPF FAQ at: http://home.earthlink.net/~jaymzh666/ipf/index.html specifically: http://home.earthlink.net/~jaymzh666/ipf/IPFprob.html#9 for additional info on "keep state" with tcp: http://home.earthlink.net/~jaymzh666/ipf/IPFprob.html#1
My site quoted in three places. I love it. Anyway, Jim is definitely correct about the return-rst rule... But I want to add a comment:
moreover, you are keeping state in too many places, without proper flags, and not setting up state correctly in others.
Jim here mentions more than one problem, and he's right, but *one* of the problems I believe he is addressing is adding "flags S" to keep tcp state rules. I've been hearing more and more reports that this isn't necessary in the most recent versions of IPF. And while, if you have no reason *NOT* to use it, it's probably a good idea anyway, if youhave reasons to use it (like you want connections picked up in the middle provided they come from inside) it *should* be possible these days to go without the flags S on those rules. BUT they ARE (afaik?
-- Phil Dibowitz phil () ipom com Freeware and Technical Pages Insanity Palace of Metallica http://home.earthlink.net/~jaymzh666/ http://www.ipom.com/ "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." - Benjamin Franklin, 1759 -------------------------------------------------------This SF.net email is sponsored by: Get the new Palm Tungsten T handheld. Power & Color in a compact size! http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Supper Firewall setup with IPFILTER and SNORT Nathan Whitehouse (Nov 22)
- Re: Supper Firewall setup with IPFILTER and SNORT jabbott (Nov 25)
- Re: Supper Firewall setup with IPFILTER and SNORT Jim Sandoz (Nov 25)
- Re: Supper Firewall setup with IPFILTER and SNORT Phil Dibowitz (Nov 25)
- Re: Supper Firewall setup with IPFILTER and SNORT Phil Dibowitz (Nov 25)
- Re: Supper Firewall setup with IPFILTER and SNORT Jim Sandoz (Nov 25)
- Re: Supper Firewall setup with IPFILTER and SNORT jabbott (Nov 25)