tcp packets
 

ok i got this error when i was running my nessus security check. they call it a general tcp vulnerability:

***************************************************
The remote host does not discard TCP SYN packets which
have the FIN flag set.

Depending on the kind of firewall you are using, an
attacker may use this flaw to bypass its rules.

See also : http://archives.neohapsis.com/archiv...2-10/0266.html
http://www.kb.cert.org/vuls/id/464113

Solution : Contact your vendor for a patch
***************************************************


i'm not really sure what to do about this. at the moment i'm running running ****. is this just the way my kernel handles packets? is there a danger? is there something i should do in ipchains to make sure certain flags are up before excepting a rejecting/accepting?

what exactly is the problem. if anyone has any good background with this stuff or has an idea. i'd appreciate. thnx

It's a good practice to drop packets with strange (incorrect) flag combination. Your firewall doesn't do it. It'd be a good idea to add such functionality, but it's not a must-have. There's a danger, but not very big.

how do i know if mine are strange? at the moment ipchains doesn't reference any kind of reject/accept -ing based on flags. what exactly should i be looking for? what exactly should i be accepting or rejecting?

iptables -A INPUT -p tcp --tcp-flags SYN FIN -j DROP

should drop any SYN packets with the FIN flag set

got anything in ipchains.......i know it's not state...but it'll do the same thing right?


what would the entry for that look like?
maybe....

ipchains -A INPUT -p tcp --tcp-flags SYN FIN -j REJECT

assuming that REJECT is a valid jump target, yeah, though any 2.4 or 2.6 kernels really should use iptables instead of ipchains

what is the reasoning behind that? that any 2.4 or 2.6 kernels really should use iptables instead of ipchains?

iptables offer you more, but if you're used to ipchains and they gove you what you need, you don't have to move.