you're misreading that rule. The --tcp-flags option takes two arguments,
the flag mask and the set flags. What his rule says, is that out of SYN,
FIN, ACK, and RST, only SYN is set, which is very similar to the --syn
argument. From `iptables -p tcp --help`:
--tcp-flags [!] mask comp match when TCP flags & mask == comp
(Flags: SYN ACK FIN RST URG PSH ALL NONE)
[!] --syn match when only SYN flag set
(equivalent to --tcp-flags SYN,RST,ACK SYN)
Although that's odd in that it looks like --syn will match SYN-FIN packets
as well, which it probably shouldn't..... Hmmmmmm...
-Joe
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Tony Earnshaw
> Sent: Monday, April 29, 2002 7:29 AM
> To: Simon Oosthoek
> Cc: Netfilter Users
> Subject: Re: http filter question
>
>
> s�n, 2002-04-28 kl. 23:15 skrev Simon Oosthoek:
>
> > ACCEPT tcp -- anywhere anywhere
> state NEW tcp flags:FIN,SYN,RST,ACK/SYN
>
> To my mind, defining FIN, RST and ACK as allowable for "NEW"
> connections, you're laying your machines open to all kinds of nastiness.
> DoS attacks, nuking, goodness knows what. By definition, NEW=SYN and
> after that, the connection is ESTABLISHED.
>
> In my standard filter (that I'm using now on my laptop), I have the
> rule:
>
> ## Make sure NEW tcp connections are SYN packets
> iptables -A INPUT -i $IFACE0 -p tcp ! --syn -m state --state NEW -j LOG
> --log-prefix "NEW-NOT-SYN: "
> iptables -A INPUT -i $IFACE0 -p tcp ! --syn -m state --state NEW -j DROP
>
> Tony
>
> --
>
> Tony Earnshaw
>
> e-post: [EMAIL PROTECTED]
> www: http://www.billy.demon.nl
> gpg public key: http://www.billy.demon.nl/tonni.armor
>
> Telefoon: (+31) (0)172 530428
> Mobiel: (+31) (0)6 51153356
>
> GPG Fingerprint = 3924 6BF8 A755 DE1A 4AD6 FA2B F7D7 6051 3BE7 B981
> 3BE7B981
>
>
>
