iz <http://www.linux.com/security/newsitem.phtml?sid=11&aid=4445> (thx stojan) Finally, ipchains also has the ability to filter packets with the SYN flag on. In TCP, all connections require a three-way handshake. The first stage in this handshake is for the requesting host to send a SYN (synchronize) packet. (That is, a packet with only the SYN flag on.) A very paranoid firewall which allows absolutely no connections from the outside world to pass into the local network may choose to filter all SYN packets. If we assume the IP of the server is 123.123.123.123, You can do this in ipchains with: ipchains -A input -p TCP -d ! 123.123.123.123 -y -j DENY This instructs ipchains to deny all SYN packets that are destined for any host other than the firewall. (This allows the firewall to accept incoming connections itself.) Note that while this increases the level of security, it will break certain protocols such as FTP (active mode transfers) or IRC (sending DCC requests). With FTP, you can deploy clients that support passive mode transfers, but other protocols may require a proxy (described below). -- Windows N'T: as in Wouldn't, Couldn't and didn't Yep...we have a W2K problem. > All the standard disclaimers apply. < Join Slovenia RC5 team: http://stats.distributed.net/rc5-64/tmsummary.php3?team=935
