December 21st, 2003, 08:07 AM
Firewall to block packets with RESET flag
I am looking for a firewall or similiar piece of software, preferably free, that will allow me to drop packets if they have the RESET flag set, and make other powerful rules like that.
It could run on either Linux or windows.
Thanks for the help!
December 21st, 2003, 08:23 AM
December 21st, 2003, 10:53 AM
Just about any stateful packet filter should be able to do this, but you want to be careful. I have seen a bunch
of broke firewalls where folks are droping RST & FIN. Sure, many sophisticated scans use these to attempt
to figure out what the remote host is based on the response, but they are in TCP for a reason and you'll
get some damned wierd results if external hosts can't get a FIN through to your network (such as when a
download finishes and the remote end sends FIN to let the client know the transfer is complete).
A better approach is to drop any initial packets with anything other than just SYN set if establishing an
inbound connection to a service on your network, or anything other than SYN/ACK set in response to one
of your clients request to establish a connection. Anything else URG, PSH, FIN. seen in the initial packets
from a remote host should be treated with extreme suspicion, or dropped.
Get OpenSolaris http://www.opensolaris.org/
December 21st, 2003, 10:27 PM
Thanks for your reply, spurious_inode, but I wasn't going to block all packets like that, just from a certain host that I am doing some experimenting with. With permission, of course!
December 21st, 2003, 11:28 PM
NetFilter/IPtables, which is the default built-in Linux firewall is able to do so.
You should try a rule like:
#iptables -A INPUT -m state --state NEW -p tcp -s your-target-ip --tcp-flags RST -j DROP
Life is boring. Play NetHack... --more--