Firewalls blocking SYN packets
Results 1 to 4 of 4

Thread: Firewalls blocking SYN packets

  1. #1
    Member
    Join Date
    Apr 2004
    Posts
    38

    Firewalls blocking SYN packets

    Hi again, guys.

    I'm currently playing with several of the firewall distros and today came across a problem I don't know how to handle correctly.

    I first noticed the issue with Endian (which has a set of pre-defined firewall rules), but after adding some basic rules to Vyatta (namely blocking all outbound TCP except for http(s), IMAP(s), POP3(s), SMTP, DNS), hit the same query.

    One of the sites I visit is https. I was having difficulty connecting to it. Upon examining the logs, there were some outbound TCP SYN requests that were being blocked, destined for ports 843 and 32256/32257. Allowing these ports out cured the problem.

    For future reference, though, rather than open ports (which could vary by the look of it), I was wondering if it was OK to, say, allow all outbound SYN requests from the lan? Or SYN requests for established connections only? Or am I paving the way to vuln city?

    Thanks.
    What's your favourite OS?

    Seen it. Tried it. Crashed it.

  2. #2
    Member
    Join Date
    Apr 2004
    Posts
    38
    After doing a bit of digging I see that SYN packets are the first in creating a TCP handshake - although in this case it must be initiated by the web page loaded in my browser.

    (This also assumes that I'm reading pfSense's logs right, and TCP:S doesn't include a SYN ACK?)

    If that's the case, I think that allowing all SYN packets from my lan to the host site's network should be reasonably secure.


    If anyone knows otherwise please let me know!
    What's your favourite OS?

    Seen it. Tried it. Crashed it.

  3. #3
    Member
    Join Date
    Apr 2004
    Posts
    38
    It looks as though firewalls aren't as granular as I thought - at least not the ones I'm looking at. I've ended up allowing all TCP packets out to that site. Oh well.
    What's your favourite OS?

    Seen it. Tried it. Crashed it.

  4. #4
    Member
    Join Date
    Apr 2004
    Posts
    38
    Just in case anyone is interested, it turns out that the Vyatta commercial edition DOES allow filtering by TCP flags. Unfortunately the community edition doesn't.
    What's your favourite OS?

    Seen it. Tried it. Crashed it.

Similar Threads

  1. firewall detection and network probing
    By heatwave in forum AntiOnline's General Chit Chat
    Replies: 4
    Last Post: October 12th, 2012, 09:53 AM
  2. A look into IDS/Snort Whole thing by QoD
    By qod in forum The Security Tutorials Forum
    Replies: 6
    Last Post: February 27th, 2004, 03:03 AM
  3. Tcp/ip
    By gore in forum Newbie Security Questions
    Replies: 11
    Last Post: December 29th, 2003, 08:01 AM
  4. Understanding DoS
    By NullDevice in forum The Security Tutorials Forum
    Replies: 21
    Last Post: December 17th, 2003, 10:03 PM
  5. Denail Of Service FAQ
    By Ennis in forum The Security Tutorials Forum
    Replies: 4
    Last Post: November 15th, 2001, 07:42 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •