On Fri, 2004-11-05 at 13:06, Stefan Fritsch wrote: > Hi! > > On Friday 05 November 2004 12:27, Baruch Even wrote: > > > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > > > iptables -A INPUT -m state --state NEW -p tcp --tcp-flags ALL SYN -j ACCEPT > > > > Please dont do that! > > > You can use SYN,ACK,FIN,RST SYN to check for illegal flags. > > Shouldn't > > iptables -A INPUT -m state --state INVALID -j DROP > > as the _first_ rule take care of all packages with illegal flags? > Unfortunately, I haven't found any documentation what exactly is > considered INVALID. Anybody?
I started to read the netfilter source to be sure but it's too much work so take this answer with a grain of salt. As far as I know the INVALID bit will be flagged if a packet matched a connection but is invalid in the connection context, a SYN packet for an established connection or a packet without an ACK in the established connection. Things like that. Baruch -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
