[Shorewall-newbies] tcpflags SYN+FIN

Tom Eastep teastep at shorewall.net
Tue Mar 2 07:09:29 PST 2004


On Tuesday 02 March 2004 06:42 am, Nian Ma wrote:
> It's my first time to use shorewall and it's one of the greatest
> software I've ever used. Documents are very clear and useful.
>
> One thing I need some help here is how to setup the tcpflags in the
> file "Interfaces". There're two posts in the archive related to this
> issue, but I still can't make it work.
> Here's the problem: After I ran Nessus to check the firewall, which is
> setup with shorewall, it reported "The remote host does not discard TCP
> SYN packets which
> have the FIN flag set.". In order to block these packages, I changed
> the shorewall configurations as following:
>
> 1. In the shorewall.conf file, I set "NEWNOTSYN=No".
> 2. Change Interfaces file as:
> "
> ###########################################################################
># #ZONE	INTERFACE	BROADCAST	OPTIONS
> net	eth0		detect		routefilter,norfc1918,SYN+FIN
> loc	eth1		detect		netnotsyn
> dmz	eth2		detect		netnotsyn
> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

net   eth0   detect	routefilter,norfc1918,tcpflags
                                              --------

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep at shorewall.net




More information about the Shorewall-newbies mailing list