also sprach Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> [2006.07.04.1130 +0200]:
> > is the same, meaning that the INVALID state matches all non-SYN
> > packets at this point.
>
> That's plain false: the INVALID state does not match all non-SYN packets
> at that point. It's nowhere written or stated in any decent documentation.
Let me get this straight:
http://www.faqs.org/docs/iptables/userlandstates.html
The INVALID state means that the packet can not be identified or
that it does not have any state.
From what I was told, a packet that is not ESTABLISHED or RELATED,
but does not have the SYN bit set cannot be identified and thus has
no state. I seem to recall it was actually an iptables developer
who told me that INVALID = ALL - (ESTABLISHED + RELATED + NEW).
--
Please do not send copies of list mail to me; I read the list!
.''`. martin f. krafft <madduck@debian.org>
: :' : proud Debian developer and author: http://debiansystem.info
`. `'`
`- Debian - when you have better things to do than fixing a system
linux: because a pc is a terrible thing to waste
Attachment:
signature.asc
Description: Digital signature (GPG/PGP)