[Shorewall-newbies] tcpflags SYN+FIN

Tom Eastep teastep at shorewall.net
Tue Mar 2 10:32:41 PST 2004


On Tuesday 02 March 2004 08:50 am, Nian Ma wrote:
> what a mistake I made.
>
> However, after I changed the file interfaces and restarted shorewall,
> the Nessus reported the same warning:
> "The remote host does not discard TCP SYN packets which have the FIN
> flag set."
>
> Just wanted to give another try, I changed shorewall.conf to set
> "NEWNOTSYN=Yes".
> and changed file Interfaces as:
> # #ZONE	INTERFACE	BROADCAST	OPTIONS
>  net	eth0		detect		routefilter,norfc1918,tcpflags
>  loc	eth1		detect
>  dmz	eth2		detect
>
> after restart, Nessus generated the same warning.
>
> Any other suggestions?

What is your setting for TCP_FLAGS_DISPOSITION in shorewall.conf?

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep at shorewall.net




More information about the Shorewall-newbies mailing list