On Tue, Aug 23, 2005 at 04:44:02PM -0700, Doug wrote: > I keep seeing this in firewall scripts on the net, but I am unable to find an > explanation or listing/table of > tcp-options. > The command in question is the following > > iptables -A INPUT -p tcp --tcp-option ! 2 -j REJECT --reject-with tcp-reset
if you google for "tcp options" the first hit is: http://www.iana.org/assignments/tcp-parameters Kind Length Meaning Reference ---- ------ ------------------------------- --------- 0 - End of Option List [RFC793] 1 - No-Operation [RFC793] 2 4 Maximum Segment Size [RFC793] 3 3 WSOPT - Window Scale [RFC1323] ... And I am not sure when the above rule makes sense. It looks inverted: The protocol reqires this option only in the SYN segments, so perhaps this is a missguided try to filter those? What i see in some tutorials is, that you accept syn packets before, and then you can reject all packets which have the option, because they are no SYN Segments. BTW: ipt_unclean is also filtering some option 2 missuse. But that is aimed at the content, not only the presence. > I'm sure it's safe, and likely a good idea to have in, given the number of > tutorials that have it in, but I just dislike the idea of having something > in my to be firewall script that I have little understanding of. Can you point us to an tutorial which has this in and does not explain it? Especially the one where this rule makes sense. Gruss Bernd -- (OO) -- [EMAIL PROTECTED] -- ( .. ) [EMAIL PROTECTED],linux.de,debian.org} http://www.eckes.org/ o--o 1024D/E383CD7E [EMAIL PROTECTED] v:+497211603874 f:+49721151516129 (O____O) When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl! -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
