Re: DROP or REJECT with STATE flags

To: debian-firewall@lists.debian.org
Subject: Re: DROP or REJECT with STATE flags
From: Gian Piero Carrubba <gp-ml@rm-rf.it>
Date: Mon, 02 May 2005 08:58:44 +0200
Message-id: <[🔎] 1115017124.2220.26.camel@king.fdc.rm-rf.it>
In-reply-to: <20050426132117.GB15373@annapolislinux.org>
References: <20050426132117.GB15373@annapolislinux.org>

Il giorno mar, 26/04/2005 alle 09.21 -0400, Theodore Knab ha scritto:
> Is there any advantage/disadvantage of using state for DROPS and REJECTS ?
> 
> I noticed I had the following rules which I really don't understand on my
> transparent bridge.`
> 
> IPTABLES="/sbin/iptables"
> OINT="eth1"
> 
> $IPTABLES -I FORWARD -m state --state INVALID -j DROP
> $IPTABLES  -A FORWARD  -p tcp -m state -m physdev --physdev-in $OINT -s 129.2.16.23/32 --destination-port 25 --state NEW,ESTABLISHED,RELATED -j REJECT 
> $IPTABLES  -A FORWARD  -p tcp  -m state  -m physdev --physdev-in $OINT --destination-port 1:1024 --state NEW,ESTABLISHED,RELATED -j REJECT
> $IPTABLES  -A FORWARD  -p udp  -m state  -m physdev --physdev-in $OINT --destination-port 1:1024 --state NEW,ESTABLISHED,RELATED -j REJECT

It depends on the subsequent lines. I mean, line 1 is useful because you
want to drop invalid packets, right now w/o checking following rules.
Lines 2-4 are useful in a similar way, admitting your subsequent rules
can trap the same packets and lead them to a different target (i.e. DROP
instead of REJECT). However line 2 is surely useless, as the same
packets are trapped in a more general contest by line 3.

Ciao,
Gian Piero.

Reply to:

Prev by Date: Re: Error-Guard Support Request
Next by Date: unsubscribe
Previous by thread: Re: RE: Error-Guard Support Request
Next by thread: How to specify a number of IP addresses in a single statement?
Index(es):
- Date
- Thread