[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: TCP SYN packets which have the FIN flag set.



On Thu, 2004-11-04 at 18:41, martin f krafft wrote:
> also sprach Luis Pérez Meliá <luisp.m@ono.com> [2004.11.04.1848 +0100]:
> >         iptables -A INPUT -m state --state NEW -p tcp --tcp-flags
> >         ALL SYN -j ACCEPT
> 
> What's the point of matching state NEW *and* SYN packets? Just SYN
> packets should suffice.

This comes from the fact that the NEW state of Netfilter only means that
this is the first time this connection is seen by the firewall. What you
really want is the connection to be NEW and a valid connection opening,
so you check the SYN flag too.

A former e-mail of mine explains why the --tcp-flags ALL SYN check is a
bad idea.

Baruch



Reply to: