Christer Nilsson
2004-Feb-05 15:36 UTC
Norton personal firewall tells me that bad TCP packets are received
This is some of the messages I get: TCP non-syn/non-ack packet on invalid connection. Packet has been dropped TCP Source Port: http(80) TCP Destination Port: 2595 TCP Message Flags: 0x00000019 The TCP message Flags varies. I''ve seen 0x00000011, 0x00000010, 0x00000018, 0x00000004, 0x00000014 and 0x00000019. Intrusion: Invalid TCP Flags TCP Source Port: 6881 TCP Destination Port: 4307 TCP Flags invalid: 0x00000015 Here I''ve seen 0x00000712 and 0x00000015. Intrusion: Invalid TCP Source Port TCP Source Port: 0. This is an invalid port number. TCP Destination Port: 6881 Intrusion: Invalid TCP Options TCP Source Port: 33931 TCP Destination Port: 6881 Invalid TCP Option: 0xc660b2ba As I have: net eth0 detect dhcp,routefilter,norfc1918,tcpflags in interfaces, I thought that the invalid stuff should be prevented to enter my network... Running "shorewall show tcpflags" reveals that nothing has been caught. Both loc and dmz are NAT''ed atm. I imagine I should just add a rule for source port zero to fix that part. Should I be concerned, as only one computer on my net has Norton installed? Christer
Tom Eastep
2004-Feb-05 17:46 UTC
Re: Norton personal firewall tells me that bad TCP packets are received
On Thursday 05 February 2004 07:36 am, Christer Nilsson wrote:> This is some of the messages I get: > > TCP non-syn/non-ack packet on invalid connection. Packet has been dropped > TCP Source Port: http(80) > TCP Destination Port: 2595 > TCP Message Flags: 0x00000019 > > The TCP message Flags varies. I''ve seen 0x00000011, 0x00000010, > 0x00000018, 0x00000004, 0x00000014 and 0x00000019.These are not harmful -- you can catch some of them by setting NEWNOTSYN=No on your firewall but you can''s stop them all. They typically occur when there are timeouts during TCP session termination.> > Intrusion: Invalid TCP Flags > TCP Source Port: 6881 > TCP Destination Port: 4307 > TCP Flags invalid: 0x00000015 > > Here I''ve seen 0x00000712 and 0x00000015. >The ''tcpflags'' option in Shorewall focuses on those combinations of flags that are used in stealth scans; it doesn''t try to catch all invalid combinations.> > Intrusion: Invalid TCP Source Port > TCP Source Port: 0. This is an invalid port number. > TCP Destination Port: 6881 >You don''t mention which version of Shorewall you are running -- recent versions catch source port 0 under the ''tcpflags'' option.> Intrusion: Invalid TCP Options > TCP Source Port: 33931 > TCP Destination Port: 6881 > Invalid TCP Option: 0xc660b2baThese can be caught by Shorewall if you set the ''dropunclean'' option. I DON''T recommend that option (it''s going away in Shorewall 2.0) as there are a lot of broken TCP stacks out there that do things like this -- they don''t hurt anything and blocking them just causes annoying connection problems. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net