On Thu, Dec 05, 2002 at 05:15:23PM -1000, Dustin Cross wrote: > # Flags S/SA only allows packets with the SYN and SYNACK flags set > # This prevents many forms of portscanning such as FIN scanning > pass in log quick on eth0 proto tcp from 63.13.13.2/32 to eth0/32 port = 22 > flags S/SA keep state > pass in log quick on eth0 proto tcp from 192.168.0.0/24 to eth0/32 port = > 22 flags S/SA keep state
I think the rules should read 'flag S keep state'. Otherwise, you become vulerable to SYN|ACK spoofing. You only want to save state when you are estabilishing the TCP session, which is SYN only. The same theory applies iptables. > # Flags S ensures state tracking only on the first outbound tcp packet > pass out quick on eth0 proto tcp from any to any flags S keep state Perfect. -Vince
