On Tue, 4 Jul 2006, martin f krafft wrote: > Many people have rules like > > -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT > -A INPUT -p tcp -m tcp --dport 22 --syn -j ACCEPT > > I've done research and found that > > -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT > -A INPUT -m conntrack --ctstate INVALID -j DROP > -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT > > is the same, meaning that the INVALID state matches all non-SYN > packets at this point.
That's plain false: the INVALID state does not match all non-SYN packets at that point. It's nowhere written or stated in any decent documentation. Best regards, Jozsef - E-mail : [EMAIL PROTECTED], [EMAIL PROTECTED] PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
