Re: TCP SYN packets which have the FIN flag set.
On Fri, 2004-11-05 at 12:49, Jan Minar wrote:
> On Fri, Nov 05, 2004 at 11:29:21AM +0000, Baruch Even wrote:
> > On Thu, 2004-11-04 at 18:41, martin f krafft wrote:
> > > What's the point of matching state NEW *and* SYN packets? Just SYN
> > > packets should suffice.
> >
> > This comes from the fact that the NEW state of Netfilter only means that
> > this is the first time this connection is seen by the firewall. What you
> > really want is the connection to be NEW and a valid connection opening,
> > so you check the SYN flag too.
>
> Serious documentation bug. Just count the number of sites that give
> wrong examples.
>
> Patch against woody's iptables:
>
> --- iptables-1.2.6a.ORIG/iptables.8 Fri Nov 5 12:28:43 2004
> +++ iptables-1.2.6a-local.0/iptables.8 Fri Nov 5 12:47:14 2004
> @@ -521,7 +521,12 @@
> supporting this feature)
> .SS state
> This module, when combined with connection tracking, allows access to
> -the connection tracking state for this packet.
> +the connection tracking state for this packet. Note that no
> +.I validity
> +check is performed, so for example \fB--state NEW\fP will match SYN,FIN packets.
> +Some TCP stacks assign special meanings to such packets, and this actually might
> +be what you want. For a more stringent filtering, see the \fB--tcp-flags\fP and
> +\fB--syn\fP options..
> .TP
> .BI "--state " "state"
> Where state is a comma separated list of the connection states to
I disagree with this description, the --state NEW case should be
described for what it is, there should be no expectation of a validity
check for it, but the ESTABLISHED and RELATED cases do check for
validity.
Baruch
Reply to: