Firewalls with Flag Filtering

Discussion in 'other firewalls' started by Diver, Mar 25, 2005.

Thread Status:
Not open for further replies.
  1. Diver

    Diver Registered Member

    Joined:
    Feb 6, 2005
    Posts:
    1,444
    Location:
    Deep Underwater
    Offhand, I can think of three firewalls that give the user the ability to filter at the TCP flag level:

    CHX-1
    Jetico
    Look n Stop

    Are there any others out there other than high end enterprise solutions like Check Point?
     
  2. dukebluedevil

    dukebluedevil Registered Member

    Joined:
    Sep 14, 2002
    Posts:
    177
    Those are the only three firewalls that I know of that allow you to filter by TCP flags.

    I wonder if the newest 8Signs/Visnetic firewall offers this capability at all? You would almost think that they would most certainly have this. Its been a long time though since I last used that firewall, so I don't really remeber if it had this or not.
     
  3. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    You cannot filter by flags in 8Signs/Visnetic.

    Regards,

    CrazyM
     
  4. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Are you talking about Syn, Ack, Fin, Rst, Psh, etc? If so, any particular reason why? (stateful inspection should do whatever filtering is necessary here).

    I'd be more interested in being able to filter based on IP options - specifically to be able to block any packets using Source Routing (which can be abused by those wish to spoof their IP address yet still receive replies).
     
  5. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,786
    Diver - Those are the only ones I've run across also.. Although it's impressive to be able to use the flags, I've not found too much need for it in practical experience. I used the flags for a while in Jetico when they had that inbound listening port problem, but other than that I've not used them much. I believe Phantom's LnS rules use them extensively though, to block and log incoming TCP packets with various flag combo's...
     
  6. Diver

    Diver Registered Member

    Joined:
    Feb 6, 2005
    Posts:
    1,444
    Location:
    Deep Underwater
    At this point using the flags is mainly a learning thing. I am thinking about looking at Phant0ms rules for LnS and seeing how they translate to CHX-1.

    Obviously, most firewalls deal with the flag thing "under the hood". The SYN flag is initiating a connection, so these are blocked, unless a server port is set up, and so forth.

    Please elaborate on Source Routing and IP address spoofing, so we can all learn about it.
     
  7. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,786
    Phantom's use of all the flags in the LnS rules seemed to be mostly for logging purposes, since LnS would block all that stuff already, without all his various rules and flags.. If I'm wrong, someone correct me please though..
     
  8. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
  9. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Those links about Source Routing do provide a basic introduction but do not really give specific details.

    IP address spoofing is itself quite simple - all it requires is for an attacker to modify the source address of the packets they send out (from real address X to fake address Y). However, all replies will go to the real address Y so this leaves the attacker in the position of not being able to tell (except indirectly) if their attempt was successful or not.

    Source routing allows the attacker to overcome this by specifying the exact route their packets should take to the victim - any responses are then sent back via the same route (reversing the list of IP addresses supplied) which means that they do reach the attacker.

    Therefore blocking packets using this option is a good idea for home users (who are very unlikely to need to use source routing themselves). However it should be noted that many ISPs do themselves block such packets from entering/leaving their networks (to check your ISP, experiment with ping using the -j or -k options) making this a less urgent issue.

    CrazyM, although this is different from TCP flags, it is closely related (other IP options include Timestamp and Record Route, see page 16 of RFC 791 - Internet Protocol for details) so I hope you do excuse continuing in this thread rather than starting a new one.
     
  10. Diver

    Diver Registered Member

    Joined:
    Feb 6, 2005
    Posts:
    1,444
    Location:
    Deep Underwater
    P2K & CrazyM thanks for the info. I need to look into this some more and will start another thread when ready.

    K- I believe that LnS does need the packet flag rules by design. Probably best to ask that in the LnS forum. I reached that conclusion because they have a rule to reject SYN packets. Those are the packets that are initiating communication, as with a server port. Also, LnS has statefull off, out of the box, so the thing regulating traffic would be the reject SYN rule.
     
  11. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,786
    Diver - that's a good point, with stateful off then you would need the SYN flags. I hadn't thought of that since I had stateful on. I was referring more to all of those rules that Phantom had in his rule set with various flags. Most of them seem unnecessary to me.
     
  12. Diver

    Diver Registered Member

    Joined:
    Feb 6, 2005
    Posts:
    1,444
    Location:
    Deep Underwater
    I think that some of waht PhantOm is going after are packets with invalid combinations of flags. Most firewalls take care of that stuff without the user having any access to it.
     
  13. ghost16825

    ghost16825 Registered Member

    Joined:
    Feb 1, 2005
    Posts:
    84
    Yes, that's completely correct. This is usually covered in the basic "SPI" of firewalls as Paranoid2000 mentioned in a previous thread. The only real use for mucking around with flags in a firewall IMO is for pseudo packet sniffing without data capture, in which case it's better to just use a proper packet sniffer.
     
  14. Diver

    Diver Registered Member

    Joined:
    Feb 6, 2005
    Posts:
    1,444
    Location:
    Deep Underwater
    Ghost-

    Hmmmm..... If I can sniff that one out, perhaps I can get the number for the next Texas lottery.....
     
Loading...
Thread Status:
Not open for further replies.