On Fri, Jan 07, 2005 at 01:18:46PM +1300, Blair Strang wrote: > | iptables -A BLOCKED_PACKETS -m state --state INVALID -j DROP > | iptables -A BLOCKED_PACKETS -p tcp -m tcp --tcp-flags SYN,ACK \ > | SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset > | iptables -A BLOCKED_PACKETS -p tcp ! --syn -m state --state NEW \ > | -j DROP
> 3) INPUT/OUTPUT: All the rules which would allow established connections to > proceed are > ~ commented out. No packets in state NEW will be accepted because there > are no rules to > ~ allow them. So no-one should be able to connect to you, and you should > not be able to > ~ establish any outbound connections. Except for those ICMP messages > again. the NEW Syn,Ack is most likely used to make sure netfiter will not (re)establich sessions from intermediate packets belonging to a established session. I think the "! --syn" has more or less the same function (besides RST) Greetings Bernd
