On Fri, Nov 05, 2004 at 11:29:21AM +0000, Baruch Even wrote: > On Thu, 2004-11-04 at 18:41, martin f krafft wrote: > > also sprach Luis Pérez Meliá <luisp.m@ono.com> [2004.11.04.1848 +0100]: > > > iptables -A INPUT -m state --state NEW -p tcp --tcp-flags > > > ALL SYN -j ACCEPT > > > > What's the point of matching state NEW *and* SYN packets? Just SYN > > packets should suffice. > > This comes from the fact that the NEW state of Netfilter only means that > this is the first time this connection is seen by the firewall. What you > really want is the connection to be NEW and a valid connection opening, > so you check the SYN flag too. Serious documentation bug. Just count the number of sites that give wrong examples. Patch against woody's iptables: --- iptables-1.2.6a.ORIG/iptables.8 Fri Nov 5 12:28:43 2004 +++ iptables-1.2.6a-local.0/iptables.8 Fri Nov 5 12:47:14 2004 @@ -521,7 +521,12 @@ supporting this feature) .SS state This module, when combined with connection tracking, allows access to -the connection tracking state for this packet. +the connection tracking state for this packet. Note that no +.I validity +check is performed, so for example \fB--state NEW\fP will match SYN,FIN packets. +Some TCP stacks assign special meanings to such packets, and this actually might +be what you want. For a more stringent filtering, see the \fB--tcp-flags\fP and +\fB--syn\fP options.. .TP .BI "--state " "state" Where state is a comma separated list of the connection states to Please comment. -- Jan
Attachment:
pgpAG86Qrcqfn.pgp
Description: PGP signature