Input rule to accept new SYN flag set packets
Hello,
I've some questions concerning a new filter rule which has been
discussed on debian-security but with differing statements so
it was confusing to me.
So far some rules out of my netfilter configuration:
#
# bad_tcp_packets chain
#
$IPTABLES -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK \
-m state --state NEW -j REJECT --reject-with tcp-reset
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG
\
--log-prefix "New not syn:"
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
#
# allowed chain
#
$IPTABLES -A allowed -p TCP --syn -j ACCEPT
#
# Doesn't match any packets which have the SYN flag set.
#
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j
ACCEPT
$IPTABLES -A allowed -p TCP -j DROP
***
Hopefully ok.
My question is now if this __NEW__ filter rule __below__ would
makes sense to avoid DOS or basically if it's requred in a
senseful way:
iptables -A INPUT -m state --state NEW -p tcp --tcp-flags ALL
SYN -j ACCEPT
AFAIK it routes tcp net packet's to localhost in the case they're new
while source and destination is anywhere which has a unknown
new SYN Flag set besides the following: FIN,SYN,RST,PSH,ACK,URG/SYN
as this is the difference within iptables -L.
Does this make sense to avoid anything which is depreciated ?
--
Best Regards,
Mark
Reply to: