On Tue, Aug 23, 2005 at 04:44:02PM -0700, Doug wrote:
> I keep seeing this in firewall scripts on the net, but I am unable to find an explanation or listing/table of
> tcp-options.
> The command in question is the following
>
> iptables -A INPUT -p tcp --tcp-option ! 2 -j REJECT --reject-with tcp-reset
if you google for "tcp options" the first hit is:
http://www.iana.org/assignments/tcp-parameters
Kind Length Meaning Reference
---- ------ ------------------------------- ---------
0 - End of Option List [RFC793]
1 - No-Operation [RFC793]
2 4 Maximum Segment Size [RFC793]
3 3 WSOPT - Window Scale [RFC1323]
...
And I am not sure when the above rule makes sense. It looks inverted:
The protocol reqires this option only in the SYN segments, so perhaps this
is a missguided try to filter those? What i see in some tutorials is, that
you accept syn packets before, and then you can reject all packets which
have the option, because they are no SYN Segments.
BTW: ipt_unclean is also filtering some option 2 missuse. But that is aimed
at the content, not only the presence.
> I'm sure it's safe, and likely a good idea to have in, given the number of
> tutorials that have it in, but I just dislike the idea of having something
> in my to be firewall script that I have little understanding of.
Can you point us to an tutorial which has this in and does not explain it?
Especially the one where this rule makes sense.
Gruss
Bernd
--
(OO) -- Bernd_Eckenfels@Mörscher_Strasse_8.76185Karlsruhe.de --
( .. ) ecki@{inka.de,linux.de,debian.org} http://www.eckes.org/
o--o 1024D/E383CD7E eckes@IRCNet v:+497211603874 f:+49721151516129
(O____O) When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl!
--
To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
No comments:
Post a Comment