Port scan detection / connection tracking question

CarulloS · November 13, 2007, 12:34am

Does connection tracking need to be enabled in v3 for the port scan rules which check the tcp flags on the packets to work?

Or, will all the rules work fine without connection tracking. I know the rules are looking at packets, but I want to be sure…

Thanks

Scott

CarulloS · November 13, 2007, 9:16pm

anybody?

Thanks

Chupaka · November 13, 2007, 11:45pm

could you please post that rules?

CarulloS · November 14, 2007, 2:37am

17 ;;; NMAP FIN Stealth scan
chain=forward action=add-src-to-address-list
tcp-flags=fin,!syn,!rst,!psh,!ack,!urg src-address-list=!BW
address-list=Bees address-list-timeout=1d protocol=tcp

18 ;;; SYN/FIN scan
chain=forward action=add-src-to-address-list tcp-flags=fin,syn
src-address-list=!BW address-list=Bees address-list-timeout=1d
protocol=tcp

19 ;;; SYN/RST scan
chain=forward action=add-src-to-address-list tcp-flags=syn,rst
src-address-list=!BW address-list=Bees address-list-timeout=1d
protocol=tcp

20 ;;; FIN/PSH/URG scan
chain=forward action=add-src-to-address-list
tcp-flags=fin,psh,urg,!syn,!rst,!ack src-address-list=!BW
address-list=Bees address-list-timeout=1d protocol=tcp

21 ;;; ALL/ALL scan
chain=forward action=add-src-to-address-list
tcp-flags=fin,syn,rst,psh,ack,urg src-address-list=!BW address-list=Bees
address-list-timeout=1d protocol=tcp

22 ;;; NMAP NULL scan
chain=forward action=add-src-to-address-list
tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg src-address-list=!BW
address-list=Bees address-list-timeout=1d protocol=tcp

changeip · November 14, 2007, 2:44am

those rules do not need connection tracking…

CarulloS · November 14, 2007, 12:29pm

Here is the reply I got from support this morning…

Connection tracking is necessary for almost all (including PSD) firewall
options.

Scott

Chupaka · November 14, 2007, 3:01pm

PSD is internal mechanism for scan detection. you do not use it in your rules.

CarulloS · November 14, 2007, 3:12pm

Actually I only posted a portion of the rules that applied to this post, obviously I missed one

So the PSD mechanism requires conn tracking but the rules I posted here do not… does that sound correct? Would make more sense to me if that were the case.

Scott

Chupaka · November 14, 2007, 3:14pm

yes, your rules do not use internal firewall PSD

changeip · November 14, 2007, 5:29pm

correct. anything where it’s looking at more than just tcp flags or things that encompass only single packets should be okay without conntrack. (someone correct me if im wrong …)

Sam