[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: DROP or REJECT with STATE flags

Il giorno mar, 26/04/2005 alle 09.21 -0400, Theodore Knab ha scritto:
> Is there any advantage/disadvantage of using state for DROPS and REJECTS ?
> I noticed I had the following rules which I really don't understand on my
> transparent bridge.`
> IPTABLES="/sbin/iptables"
> OINT="eth1"
> $IPTABLES -I FORWARD -m state --state INVALID -j DROP
> $IPTABLES  -A FORWARD  -p tcp -m state -m physdev --physdev-in $OINT -s --destination-port 25 --state NEW,ESTABLISHED,RELATED -j REJECT 
> $IPTABLES  -A FORWARD  -p tcp  -m state  -m physdev --physdev-in $OINT --destination-port 1:1024 --state NEW,ESTABLISHED,RELATED -j REJECT
> $IPTABLES  -A FORWARD  -p udp  -m state  -m physdev --physdev-in $OINT --destination-port 1:1024 --state NEW,ESTABLISHED,RELATED -j REJECT

It depends on the subsequent lines. I mean, line 1 is useful because you
want to drop invalid packets, right now w/o checking following rules.
Lines 2-4 are useful in a similar way, admitting your subsequent rules
can trap the same packets and lead them to a different target (i.e. DROP
instead of REJECT). However line 2 is surely useless, as the same
packets are trapped in a more general contest by line 3.

Gian Piero.

Reply to: