[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ipchains X ipfw compatibility

Tim Haynes wrote:

> Yup, that's the bunny. New incoming connections are characterised exactly by
> having the SYN flag set, continuations of already-established connections
> don't have it, so something like
>         ipchains -I input -p tcp ! -y -j ACCEPT
> should do the trick. You might feel happier expressly putting
>         -s
>         -d
> in there as well to get the 'any's across.

This *is* the nearest equivalent, but is massively less functional than
the equivalent
using, for example, ipfilter - ipchains does not keep track of
established connections
and so cannot actually check that the packet is part of an established
connection, just
that it's not the start of a new one. Which is a massive difference.


Reply to: