Hi,

I'm interested in finding online resources where I can get some general practical advice about tcp-flags rules. Please don't point me to frozentux. I've read almost everything I needed to know. I'm interested in a site such as this one, http://www.k-state.edu/its/security/...pt_Handout.pdf of whose accuracy I'm not entirely sure.

I understand a few rules, such as rejecting new connections that don't have the syn flag set and so on, but I suppose there must be a set of general practical rules that apply to most scenarios that I can use or pick from.

Any ideas? Would the site I've linked to be roughly enough for what I'm looking for?

And please, don't start by telling me to read iptables tutorials before posting and crap like that, as I know many of you are used to doing I have read quite a lot, but oftentimes the most useful and basic pieces of information are almost nowhere to be found. I did search, but I wasn't able to find what I'm looking for. There's no point in coming up with my own rules (I'm talking only about general tcp-flags rules here), as they might have major flaws, when cleverer people have found out better solutions by now.

Hello again.


You started out here and all was good. Actually your questions here make more sense because you actively discuss TCP flag specifics (regardless of how that discussion went down, OK, maybe that's what the "crap" part originates from, idk ;-p)

I don't agree with not writing your own rule set: we ("we" as in all of us who need to know TCP/IP Suite intricacies for work and pleasure) all need to go down that route of learning a lot. Mastering the stuff, show a good understanding of things, is done by expressing what you know in your own rule set.

For example when I started out with ipfwadm and ipchains I was concerned about TCP flags and such but nowadays I don't care that much anymore (OK, in the context of end point hardening), because the real threat isn't a Xmas or FIN scan (OK, there'll always be devices that can't cope) but due to better edge hardware / filtering, detection methods and mitigation techniques it's mostly application level (layer 7) or wetware (layer 8 ;-p) threats these days.


The old rule set in the PDF link you posted was a result of knowing ways scans could be performed. If you're interested in that why not do some reading of nmap docs on scan techniques? Or else, and I would really recommend it, is to find out more about TCP/IP itself first (like say www.tcpipguide.com) because things like the Three Way Handshake and the Five Way Teardown (and anomalies) are what makes things interesting?..

I guess my wording wasn't as clever as I wanted it to be. I don't mean to say that I shouldn't write my own rules, but there are some, how should I say, common patterns that could help me.

I know the basics of TCP/IP. I finished CCNA. I guess I wanted more practical advice. Someone recommended using csf on linux servers, for instance, but said that on a linux router he'd use customised iptables. As far as I know, lots of integrated firewalls have integrated rules similar to those in my link (syn flood etc.) - I wrote this part before reading all your post, sorry

Since my post here I've also found this link https://www.sans.org/reading-room/wh...ues-defense-70.

The point is, I do want to learn as much as possible and understand whatever a firewall is doing even if I don't need to edit those default rules, but I'd also like to be practical about it. I don't want to start writing all sorts of tcp-flags rules every time I configure a server when they're automatically integrated in smart software. So I'd also like to focus my resources on something more practical. I know I'm a little bit ambiguous, but I guess I don't know how to approach the whole problem myself.

Anyway, I will have a look at your tcpguide, nonetheless. Might find some useful things.

W. Richard Stevens wrote some of the classics on this subject - see the home page http://www.kohala.com/start/

Don't want to be mean, but I'm really not interested in spending $50 on a 20-year old book (the other two that deal with TCP are even older) that addresses IT. I'm not saying that the book is bad, and the fundamentals haven't changed I suppose, but even so, I'd prefer something more contemporary.