Firewalls with Flag Filtering

Offhand, I can think of three firewalls that give the user the ability to filter at the TCP flag level:

CHX-1
Jetico
Look n Stop

Are there any others out there other than high end enterprise solutions like Check Point?

 

Those are the only three firewalls that I know of that allow you to filter by TCP flags.

I wonder if the newest 8Signs/Visnetic firewall offers this capability at all? You would almost think that they would most certainly have this. Its been a long time though since I last used that firewall, so I don't really remeber if it had this or not.

 

You cannot filter by flags in 8Signs/Visnetic.

Regards,

CrazyM

 

Are you talking about Syn, Ack, Fin, Rst, Psh, etc? If so, any particular reason why? (stateful inspection should do whatever filtering is necessary here).

I'd be more interested in being able to filter based on IP options - specifically to be able to block any packets using Source Routing (which can be abused by those wish to spoof their IP address yet still receive replies).

 

Diver - Those are the only ones I've run across also.. Although it's impressive to be able to use the flags, I've not found too much need for it in practical experience. I used the flags for a while in Jetico when they had that inbound listening port problem, but other than that I've not used them much. I believe Phantom's LnS rules use them extensively though, to block and log incoming TCP packets with various flag combo's...

 

At this point using the flags is mainly a learning thing. I am thinking about looking at Phant0ms rules for LnS and seeing how they translate to CHX-1.

Obviously, most firewalls deal with the flag thing "under the hood". The SYN flag is initiating a connection, so these are blocked, unless a server port is set up, and so forth.

Please elaborate on Source Routing and IP address spoofing, so we can all learn about it.

 

Phantom's use of all the flags in the LnS rules seemed to be mostly for logging purposes, since LnS would block all that stuff already, without all his various rules and flags.. If I'm wrong, someone correct me please though..

 

A couple of links to get you started:
http://www.faqs.org/faqs/cisco-networking-faq/section-23.html
http://www.iss.net/security_center/.../Methods/Technical/Source_Routing/default.htm

May want to start another post on source routing and IP spoofing so this one does not stray too much.

Regards,

CrazyM

 

Those links about Source Routing do provide a basic introduction but do not really give specific details.

IP address spoofing is itself quite simple - all it requires is for an attacker to modify the source address of the packets they send out (from real address X to fake address Y). However, all replies will go to the real address Y so this leaves the attacker in the position of not being able to tell (except indirectly) if their attempt was successful or not.

Source routing allows the attacker to overcome this by specifying the exact route their packets should take to the victim - any responses are then sent back via the same route (reversing the list of IP addresses supplied) which means that they do reach the attacker.

Therefore blocking packets using this option is a good idea for home users (who are very unlikely to need to use source routing themselves). However it should be noted that many ISPs do themselves block such packets from entering/leaving their networks (to check your ISP, experiment with ping using the -j or -k options) making this a less urgent issue.

CrazyM, although this is different from TCP flags, it is closely related (other IP options include Timestamp and Record Route, see page 16 of RFC 791 - Internet Protocol for details) so I hope you do excuse continuing in this thread rather than starting a new one.

 

P2K & CrazyM thanks for the info. I need to look into this some more and will start another thread when ready.

K- I believe that LnS does need the packet flag rules by design. Probably best to ask that in the LnS forum. I reached that conclusion because they have a rule to reject SYN packets. Those are the packets that are initiating communication, as with a server port. Also, LnS has statefull off, out of the box, so the thing regulating traffic would be the reject SYN rule.

 

Diver - that's a good point, with stateful off then you would need the SYN flags. I hadn't thought of that since I had stateful on. I was referring more to all of those rules that Phantom had in his rule set with various flags. Most of them seem unnecessary to me.

 

I think that some of waht PhantOm is going after are packets with invalid combinations of flags. Most firewalls take care of that stuff without the user having any access to it.

 

Yes, that's completely correct. This is usually covered in the basic "SPI" of firewalls as Paranoid2000 mentioned in a previous thread. The only real use for mucking around with flags in a firewall IMO is for pseudo packet sniffing without data capture, in which case it's better to just use a proper packet sniffer.

 

Ghost-

Hmmmm..... If I can sniff that one out, perhaps I can get the number for the next Texas lottery.....