Re: TCP SYN packets which have the FIN flag set.
On Fri, 2004-11-05 at 13:06, Stefan Fritsch wrote:
> Hi!
>
> On Friday 05 November 2004 12:27, Baruch Even wrote:
> > > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> > > iptables -A INPUT -m state --state NEW -p tcp --tcp-flags ALL SYN -j ACCEPT
> >
> > Please dont do that!
>
> > You can use SYN,ACK,FIN,RST SYN to check for illegal flags.
>
> Shouldn't
>
> iptables -A INPUT -m state --state INVALID -j DROP
>
> as the _first_ rule take care of all packages with illegal flags?
> Unfortunately, I haven't found any documentation what exactly is
> considered INVALID. Anybody?
I started to read the netfilter source to be sure but it's too much work
so take this answer with a grain of salt.
As far as I know the INVALID bit will be flagged if a packet matched a
connection but is invalid in the connection context, a SYN packet for an
established connection or a packet without an ACK in the established
connection. Things like that.
Baruch
Reply to: