On Thu, 2004-11-04 at 18:41, martin f krafft wrote: > also sprach Luis Pérez Meliá <[EMAIL PROTECTED]> [2004.11.04.1848 +0100]: > > iptables -A INPUT -m state --state NEW -p tcp --tcp-flags > > ALL SYN -j ACCEPT > > What's the point of matching state NEW *and* SYN packets? Just SYN > packets should suffice.
This comes from the fact that the NEW state of Netfilter only means that this is the first time this connection is seen by the firewall. What you really want is the connection to be NEW and a valid connection opening, so you check the SYN flag too. A former e-mail of mine explains why the --tcp-flags ALL SYN check is a bad idea. Baruch -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
