On Fri, 2004-11-05 at 14:27, martin f krafft wrote: > also sprach Baruch Even <[EMAIL PROTECTED]> [2004.11.05.1229 +0100]: > > This comes from the fact that the NEW state of Netfilter only > > means that this is the first time this connection is seen by the > > firewall. What you really want is the connection to be NEW and > > a valid connection opening, so you check the SYN flag too. > > Why do you care about the connection being NEW? I am not > challenging, I just can't figure out an attack scenario that could > exploit the fact that I only check for --syn.
You have three categories into which all sessions go: ESTABLISHED,RELATED NEW INVALID pick two to cover the spectrum of attacks. If you don't check for NEW, a SYN packet which is INVALID for some connection can be accepted. If you check for INVALID before you check for SYN you're covered. > > A former e-mail of mine explains why the --tcp-flags ALL SYN check > > is a bad idea. > > You say to use "RST,ACK,FIN,SYN SYN" which makes sense. If you use > --syn and iptables-save, "RST,ACK,SYN SYN" is stored, so this is > what --syn seems to mean. Why does --syn not set FIN in the mask? Because of ideas like TTCP (as mentioned before in this thread), for the exact reasons you'll have to ask the netfilter team, I developed a firewall but it wasn't netfilter. Baruch -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
