Re: ipchains X ipfw compatibility
Tim Haynes wrote:
> Yup, that's the bunny. New incoming connections are characterised exactly by
> having the SYN flag set, continuations of already-established connections
> don't have it, so something like
> ipchains -I input -p tcp ! -y -j ACCEPT
> should do the trick. You might feel happier expressly putting
> -s 0.0.0.0/0.0.0.0
> -d 0.0.0.0/0.0.0.0
> in there as well to get the 'any's across.
This *is* the nearest equivalent, but is massively less functional than
using, for example, ipfilter - ipchains does not keep track of
and so cannot actually check that the packet is part of an established
that it's not the start of a new one. Which is a massive difference.