Il giorno mar, 26/04/2005 alle 09.21 -0400, Theodore Knab ha scritto: > Is there any advantage/disadvantage of using state for DROPS and REJECTS ? > > I noticed I had the following rules which I really don't understand on my > transparent bridge.` > > IPTABLES="/sbin/iptables" > OINT="eth1" > > $IPTABLES -I FORWARD -m state --state INVALID -j DROP > $IPTABLES -A FORWARD -p tcp -m state -m physdev --physdev-in $OINT -s > 129.2.16.23/32 --destination-port 25 --state NEW,ESTABLISHED,RELATED -j > REJECT > $IPTABLES -A FORWARD -p tcp -m state -m physdev --physdev-in $OINT > --destination-port 1:1024 --state NEW,ESTABLISHED,RELATED -j REJECT > $IPTABLES -A FORWARD -p udp -m state -m physdev --physdev-in $OINT > --destination-port 1:1024 --state NEW,ESTABLISHED,RELATED -j REJECT
It depends on the subsequent lines. I mean, line 1 is useful because you want to drop invalid packets, right now w/o checking following rules. Lines 2-4 are useful in a similar way, admitting your subsequent rules can trap the same packets and lead them to a different target (i.e. DROP instead of REJECT). However line 2 is surely useless, as the same packets are trapped in a more general contest by line 3. Ciao, Gian Piero. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
