On Fri, 2004-11-05 at 12:49, Jan Minar wrote: > On Fri, Nov 05, 2004 at 11:29:21AM +0000, Baruch Even wrote: > > On Thu, 2004-11-04 at 18:41, martin f krafft wrote: > > > What's the point of matching state NEW *and* SYN packets? Just SYN > > > packets should suffice. > > > > This comes from the fact that the NEW state of Netfilter only means that > > this is the first time this connection is seen by the firewall. What you > > really want is the connection to be NEW and a valid connection opening, > > so you check the SYN flag too. > > Serious documentation bug. Just count the number of sites that give > wrong examples. > > Patch against woody's iptables: > > --- iptables-1.2.6a.ORIG/iptables.8 Fri Nov 5 12:28:43 2004 > +++ iptables-1.2.6a-local.0/iptables.8 Fri Nov 5 12:47:14 2004 > @@ -521,7 +521,12 @@ > supporting this feature) > .SS state > This module, when combined with connection tracking, allows access to > -the connection tracking state for this packet. > +the connection tracking state for this packet. Note that no > +.I validity > +check is performed, so for example \fB--state NEW\fP will match SYN,FIN packets. > +Some TCP stacks assign special meanings to such packets, and this actually might > +be what you want. For a more stringent filtering, see the \fB--tcp-flags\fP and > +\fB--syn\fP options.. > .TP > .BI "--state " "state" > Where state is a comma separated list of the connection states to
I disagree with this description, the --state NEW case should be described for what it is, there should be no expectation of a validity check for it, but the ESTABLISHED and RELATED cases do check for validity. Baruch -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
