On 2007-08-02 Franck Joncourt wrote: > On Thu, Aug 02, 2007 at 10:49:51PM +0200, Ansgar -59cobalt- Wiechers wrote: >> On 2007-08-02 Franck Joncourt wrote: >>> -m state --state NEW --syn rather than --syn >> >> "--syn" is kinda redundant when using "--state NEW". ;) > > You are wrong. Try to send a packet with the ACK flag sets and the > others cleared ; therefore you will be able to match those packets with > this rule : > > iptables -A INPUT -p tcp -m state --state NEW \ > --tcp-falgs SYN,FIN,RST,ACK ACK -j RETURN > > http://iptables-tutorial.frozentux.net/iptables-tutorial.html#SYNACKANDNEW
Instead of adding a --syn to the ACCEPT rule I'd rather add a REJECT rule as described in the article you mentioned to protect against spoofing. cu 59cobalt -- "The Mac OS X kernel should never panic because, when it does, it seriously inconveniences the user." --http://developer.apple.com/technotes/tn2004/tn2118.html -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
