[Shorewall-newbies] tcpflags SYN+FIN

Nian Ma Nian.Ma at compel.com
Tue Mar 2 06:53:37 PST 2004


It's my first time to use shorewall and it's one of the greatest
software I've ever used. Documents are very clear and useful.

One thing I need some help here is how to setup the tcpflags in the
file "Interfaces". There're two posts in the archive related to this
issue, but I still can't make it work. 
Here's the problem: After I ran Nessus to check the firewall, which is
setup with shorewall, it reported "The remote host does not discard TCP
SYN packets which
have the FIN flag set.". In order to block these packages, I changed
the shorewall configurations as following:

1. In the shorewall.conf file, I set "NEWNOTSYN=No".
2. Change Interfaces file as: 
"
############################################################################
#ZONE	INTERFACE	BROADCAST	OPTIONS
net	eth0		detect		routefilter,norfc1918,SYN+FIN
loc	eth1		detect		netnotsyn
dmz	eth2		detect		netnotsyn
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
"

After I restarted the shorewall, and Nessus reported the same warning.


Did I do anythng wrong? How should I do this?

Any help is appreciated.

Mark




More information about the Shorewall-newbies mailing list