Shorewall users - Jul 2003 - allowing illegal outgoing tcp flag combination

I''ve made a search both in the web and in your site about this. The
only
I''ve found is fw -> net ACCEPT. But that doesn''t seem
enough. When I do

nmap -sN --scanflags SYN+PSH+URG x.x.x.x

packet''s don''t go through and I get a "operation not
permited". Then I''m
forced to:

iptables -X
iptables -F
iptables --policy INPUT ACCEPT
iptables --policy OUTPUT ACCEPT
iptables --policy FORWARD ACCEPT

The problem is that I don''t want everything to be accepted. I just want
to
be able to send illegal tcp flag combination (but not allowing incoming).

What option/parameter/config/... should I have for this?


Bellow goes my info:

BlackHat root # shorewall version
1.4.5
BlackHat root # uname -a
Linux BlackHat 2.4.20-xfs-r3 #1 Thu Jul 3 12:00:55 CEST 2003 i686 AMD 
Athlon(tm) XP 1800+ AuthenticAMD GNU/Linux
BlackHat root # ip addr show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:02:44:62:b4:b1 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.1/24 brd 192.168.0.255 scope global eth0
3: eth1: <BROADCAST,MULTICAST,NOTRAILERS,UP> mtu 1500 qdisc pfifo_fast
qlen
100
    link/ether 00:30:84:3b:c6:a6 brd ff:ff:ff:ff:ff:ff
    inet 62.57.100.120/22 brd 255.255.255.255 scope global eth1
BlackHat root # ip route show
192.168.0.0/24 dev eth0  proto kernel  scope link  src 192.168.0.1
62.57.100.0/22 dev eth1  proto kernel  scope link  src 62.57.100.120
127.0.0.0/8 via 127.0.0.1 dev lo  scope link
default via 62.57.100.1 dev eth1
BlackHat root # lsmod
Module                  Size  Used by    Tainted: P
ipt_TOS                  952  12  (autoclean)
ipt_MASQUERADE          1400   1  (autoclean)
ipt_LOG                 3384   0  (autoclean)
ipt_REJECT              2712   4  (autoclean)
ipt_ULOG                3752   9  (autoclean)
ipt_state                568  24  (autoclean)
iptable_mangle          2072   1  (autoclean)
ip_nat_irc              2512   0  (unused)
ip_nat_ftp              3184   0  (unused)
iptable_nat            16440   3  [ipt_MASQUERADE ip_nat_irc ip_nat_ftp]
ip_conntrack_irc        2992   1
ip_conntrack_ftp        4016   1
ip_conntrack           20832   4  [ipt_MASQUERADE ipt_state ip_nat_irc 
ip_nat_ftp iptable_nat ip_conntrack_irc ip_conntrack_ftp]
iptable_filter          1644   1  (autoclean)
ip_tables              12088  11  [ipt_TOS ipt_MASQUERADE ipt_LOG ipt_REJECT 
ipt_ULOG ipt_state iptable_mangle iptable_nat iptable_filter]
snd-usb-audio          39200   0  (unused)
snd-emu10k1            61172   0
snd-pcm                57696   0  [snd-usb-audio snd-emu10k1]
snd-timer              14372   0  [snd-pcm]
snd-page-alloc          4764   0  [snd-emu10k1 snd-pcm]
snd-util-mem            1280   0  [snd-emu10k1]
snd-rawmidi            13664   0  [snd-usb-audio snd-emu10k1]
snd-hwdep               4576   0  [snd-emu10k1]
snd-seq-device          3904   0  [snd-emu10k1 snd-rawmidi]
snd-ac97-codec         36168   0  [snd-emu10k1]
snd                    28900   0  [snd-usb-audio snd-emu10k1 snd-pcm 
snd-timer snd-util-mem snd-rawmidi snd-hwdep snd-seq-device snd-ac97-codec]
rtc                     7356   0  (autoclean)
apm                     9696   1
nvidia               1542336  10
sr_mod                 14744   0  (unused)
cdrom                  27040   0  [sr_mod]
printer                 7168   0  (unused)
audio                  40056   0
soundcore               3844   4  [snd audio]
pwc                    41320   0  (unused)
videodev                5760   1  [pwc]
uhci                   25712   0  (unused)
usbcore                60128   1  [snd-usb-audio printer audio pwc uhci]
8139too                15176   2

Thanks in advance for your help.



? ???? ?? ????? ?? ???? ???!

_________________________________________________________________
Charla con tus amigos en l?nea mediante MSN Messenger: 
http://messenger.yupimsn.com/

On Sun, 2003-07-06 at 04:57, Ioannis Aslanidis wrote:
> 
> The problem is that I don''t want everything to be accepted. I just
want to
> be able to send illegal tcp flag combination (but not allowing incoming).
> 
> What option/parameter/config/... should I have for this?

See FAQ	#26

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

On Sun, 2003-07-06 at 04:57, Ioannis Aslanidis wrote:
> 
> iptables -X
> iptables -F
> iptables --policy INPUT ACCEPT
> iptables --policy OUTPUT ACCEPT
> iptables --policy FORWARD ACCEPT
> 
If you ever feel the need to do the above again, "shorewall clear" is
a
lot easier to type.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net