[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ssh connection survives reboot of stateful iptables router

martin f krafft a écrit :

on the basis that it's not okay to drop bad packets before
accepting good packets, the following would not be okay even though
they're logically equivalent?

I want to make things clear : dropping packets first is not bad ; what is bad is accepting packets with the assumption that they meet certain requirements based on the fact that packets wich don't meet these requirements were dropped or rejected before by a previous rule.

  drop INVALID
  accept NEW --dport ssh --syn

Good. All the requirements are in the accept rule, so it does not rely on previous drop rules.


  drop INVALID
  drop ! NEW
  drop ! --syn
  accept --dport ssh

Very bad ! The accept rule relies on previous drop rules.
Ideally, you should not need any drop rules except at the very end of the chain (or as the chain default policy, which of course must be DROP). However you may have some drop rules for performance issues, to avoid examination of the remaining rules. For instance, if you have a user-defined chain containing all the rules for a given interface, you can append a drop rule at the end of this chain so rules for other interfaces are not examined.

Reply to: