Re: iptables and INVALID packet filtering.

To: debian-firewall@lists.debian.org
Subject: Re: iptables and INVALID packet filtering.
From: Pascal Hambourg <pascal@plouf.fr.eu.org>
Date: Fri, 05 Apr 2013 23:54:13 +0200
Message-id: <[🔎] 515F4805.8080708@plouf.fr.eu.org>
In-reply-to: <[🔎] CAASvXNuLEnTrt+38AfCMq+9H-rqL-tfvd760jUOXTXAWZKc9DQ@mail.gmail.com>
References: <[🔎] CAASvXNseOJy8__QFKFir=nUmCGZDR47vFFYkeToCO3=PYp7sCw@mail.gmail.com> <[🔎] 515E059E.4080508@plouf.fr.eu.org> <[🔎] B57F1D41-A448-439A-A912-EF921511C1CD@AandRSecurity.com> <[🔎] CAASvXNtqJbKpPXXwLtr-680exHBx7EyDreWBovHdEMFAFnWdGw@mail.gmail.com> <[🔎] 82506A86-4FCA-4F5A-A37A-7C89EEC4F050@AandRSecurity.com> <[🔎] CAASvXNsm_+mRaO2uoWsR0iwH4_2gSSLHZ14HRb_wy4uLhRDQ3Q@mail.gmail.com> <[🔎] 7B0F313E-DD4F-4466-B6CD-C0F4E2D976D6@AandRSecurity.com> <[🔎] CAASvXNuLEnTrt+38AfCMq+9H-rqL-tfvd760jUOXTXAWZKc9DQ@mail.gmail.com>

Daniel Curtis a écrit :
> 
> So, it is better to use state module instead of conntrack,
> when it comes to filter INVALID packets or it does not
> matter, which module will be in use? What is your
> opinion on this?

It does not matter. The conntrack match has more options, but
"-m conntrack --ctstate INVALID" does exactly the same as "-m state
--state INVALID". The connection tracking is not performed by either
module, their purpose is just to match the state of the packet, not to
decide what state the packet is in.

> I know, that in e.g. iptables v1.4.16.3, state module is obsolete.
[...]
> WARNING: The state match is obsolete. Use conntrack instead.

No, the state match is not obsolete any more. The developpers of
iptables have finally decided that it would not be deprecated and would
be aliased by the conntrack module instead, so you can safely ignore
this warning.

Reply to:

References:
- iptables and INVALID packet filtering.
  - From: Daniel Curtis <sidetripping@gmail.com>
- Re: iptables and INVALID packet filtering.
  - From: Pascal Hambourg <pascal@plouf.fr.eu.org>
- Re: iptables and INVALID packet filtering.
  - From: Matthew Babcock <MBabcock@AandRSecurity.com>
- Re: iptables and INVALID packet filtering.
  - From: Daniel Curtis <sidetripping@gmail.com>
- Re: iptables and INVALID packet filtering.
  - From: Matthew Babcock <MBabcock@AandRSecurity.com>
- Re: iptables and INVALID packet filtering.
  - From: Daniel Curtis <sidetripping@gmail.com>
- Re: iptables and INVALID packet filtering.
  - From: Matthew Babcock <MBabcock@AandRSecurity.com>
- Re: iptables and INVALID packet filtering.
  - From: Daniel Curtis <sidetripping@gmail.com>

Prev by Date: Re: postfix through TOR DNS.
Next by Date: Re: iptables and INVALID packet filtering.
Previous by thread: Re: iptables and INVALID packet filtering.
Next by thread: Re: iptables and INVALID packet filtering.
Index(es):
- Date
- Thread