On Fri, Nov 05, 2004 at 03:04:34PM +0000, Baruch Even wrote: > On Fri, 2004-11-05 at 14:27, martin f krafft wrote: > You have three categories into which all sessions go: > ESTABLISHED,RELATED > NEW > INVALID > pick two to cover the spectrum of attacks. > > If you don't check for NEW, a SYN packet which is INVALID for some > connection can be accepted. If you check for INVALID before you check > for SYN you're covered.
Here again, at least the manpage seems to be misleading. Quoting the iptables(8) manpage from woody: > Possible states are INVALID meaning that the packet is associated with > no known connection, [...] NEW meaning that the packet has started a > new connection, or otherwise associated with a connection which has > not seen packets in both directions At least one of INVALID and NEW definitions is invalid. If the NEW was to match INVALID packets, these packets will be by definition ``associated with no known connection'', and vice versa. -- Jan
pgpbANUptwNjH.pgp
Description: PGP signature
