On Tue, 4 Jul 2006, martin f krafft wrote: > also sprach Jozsef Kadlecsik <[EMAIL PROTECTED]> [2006.07.04.1143 +0200]: > > That is false, because from connection tracking point of view a plain ACK > > packet which does not belong to any existing connections has got a state, > > which is NEW. That is why connection pickup can work. > > Yeah, and so it's not INVALID. I did not know about connection > tracking, but other than that, the following two are equivalent, no? > > accept ESTABLISHED,RELATED > drop INVALID > accept --dport 22 > drop > > and > > accept ESTABLISHED,RELATED > accept --dport 22 --syn > drop
No. In the first case you drop INVALID packets (actually, broken ones: invalid flag-combinations, bad checksum, etc.) and accept any packet targetting port 22. In the second case you accept SYN packets sent to port 22. Best regards, Jozsef - E-mail : [EMAIL PROTECTED], [EMAIL PROTECTED] PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
