[Shorewall-users] Norton personal firewall tells me that bad TCP
packets are received
Tom Eastep
teastep at shorewall.net
Thu Feb 5 09:46:54 PST 2004
On Thursday 05 February 2004 07:36 am, Christer Nilsson wrote:
> This is some of the messages I get:
>
> TCP non-syn/non-ack packet on invalid connection. Packet has been dropped
> TCP Source Port: http(80)
> TCP Destination Port: 2595
> TCP Message Flags: 0x00000019
>
> The TCP message Flags varies. I've seen 0x00000011, 0x00000010,
> 0x00000018, 0x00000004, 0x00000014 and 0x00000019.
These are not harmful -- you can catch some of them by setting NEWNOTSYN=No on
your firewall but you can's stop them all. They typically occur when there
are timeouts during TCP session termination.
>
> Intrusion: Invalid TCP Flags
> TCP Source Port: 6881
> TCP Destination Port: 4307
> TCP Flags invalid: 0x00000015
>
> Here I've seen 0x00000712 and 0x00000015.
>
The 'tcpflags' option in Shorewall focuses on those combinations of flags that
are used in stealth scans; it doesn't try to catch all invalid combinations.
>
> Intrusion: Invalid TCP Source Port
> TCP Source Port: 0. This is an invalid port number.
> TCP Destination Port: 6881
>
You don't mention which version of Shorewall you are running -- recent
versions catch source port 0 under the 'tcpflags' option.
> Intrusion: Invalid TCP Options
> TCP Source Port: 33931
> TCP Destination Port: 6881
> Invalid TCP Option: 0xc660b2ba
These can be caught by Shorewall if you set the 'dropunclean' option. I DON'T
recommend that option (it's going away in Shorewall 2.0) as there are a lot
of broken TCP stacks out there that do things like this -- they don't hurt
anything and blocking them just causes annoying connection problems.
-Tom
--
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ teastep at shorewall.net
More information about the Shorewall-users
mailing list