Hi All! On Tue, 2006-07-04 at 09:56 +0200, martin f krafft wrote: > > Many people have rules like > > -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT > -A INPUT -p tcp -m tcp --dport 22 --syn -j ACCEPT > > I've done research and found that > > -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT > -A INPUT -m conntrack --ctstate INVALID -j DROP > -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT > > is the same, meaning that the INVALID state matches all non-SYN > packets at this point.
For the same, you must replace the second line with this: -A INPUT -m conntrack --cstate NEW ! --syn -j DROP Or for sure, use both line. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
