> On Thu, Aug 02, 2007 at 10:49:51PM +0200, Ansgar -59cobalt- Wiechers wrote:
>> On 2007-08-02 Franck Joncourt wrote:
>>> -m state --state NEW --syn rather than --syn
>>
>> "--syn" is kinda redundant when using "--state NEW". ;)
>
> You are wrong. Try to send a packet with the ACK flag sets and the
> others cleared ; therefore you will be able to match those packets with
> this rule :
>
> iptables -A INPUT -p tcp -m state --state NEW \
> --tcp-falgs SYN,FIN,RST,ACK ACK -j RETURN
>
> http://iptables-tutorial.frozentux.net/iptables-tutorial.html#SYNACKANDNEW
Instead of adding a --syn to the ACCEPT rule I'd rather add a REJECT
rule as described in the article you mentioned to protect against
spoofing.
cu
59cobalt
--
"The Mac OS X kernel should never panic because, when it does, it
seriously inconveniences the user."
--http://developer.apple.com/technotes/tn2004/tn2118.html
--
To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
No comments:
Post a Comment