In message <[EMAIL PROTECTED]> you write:
> > iptables -A FORWARD -p tcp -m state --state ESTABLISHED -j ACCEPT
> > iptables -A FORWARD -p tcp -m state --state NEW -j ACCEPT
> > iptables -A FORWARD -p tcp -j DROP
>
> The meaning of --state NEW is the number one misunderstanding of netfilter's
> dynamic filtering (*).
Hi all,
I disagree. Consider the original complaint: that --state NEW
allowed TCP ACK packets through, which allowed an ack scan. This
surprised the observers, who then blocked acks.
Of course, you can still use SYNs to scan the network, so they
haven't actually won anything here, except that if their firewall
reboots, established connections will die.
The confusion here comes from the "TCP connection" vs
"connection tracking connection" distinction, which is subtle and
usually harmless.
Hope that helps,
Rusty.
--
Anyone who quotes me in their sig is an idiot. -- Rusty Russell.
