What your rule says is, exactly: iptables -A INPUT -i $IFACE0 -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "NEW-NOT-SYN: " iptables -A INPUT -i $IFACE0 -p tcp ! --syn -m state --state NEW -j DROP (and then I assume you accept some things later on)
Which is exactly equivalent to: iptables -A INPUT -i $IFACE0 -p tcp --tcp-flags ! SYN,RST,ACK SYN -m state --state NEW -j LOG --log-prefix "NEW-NOT-SYN: " iptables -A INPUT -i $IFACE0 -p tcp --tcp-flags ! SYN,RST,ACK SYN -m state --state NEW -j DROP (and then I assume you accept some things later on) What his rule says is: iptables -A INPUT -p tcp --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j ACCEPT (accept established) (log everything) (drop everything) The only packets that will be treated differently by his rules and by yours are SYN-FIN packets, which will be accepted by your rules, and not by his. Put it this way: Your rules say that if the syn isn't the only thing set, log and drop, otherwise accept. His rules say that if the syn *is* the only thing set, accept it, otherwise log and drop. Or, another way: I say if the coin comes up heads, I win. You say if it comes up tails, you lose. Who's right? -Joe > -----Original Message----- > From: Tony Earnshaw [mailto:[EMAIL PROTECTED]] > Sent: Monday, April 29, 2002 10:44 AM > To: Joe Patterson > Cc: Simon Oosthoek; Netfilter Users > Subject: RE: http filter question > > > man, 2002-04-29 kl. 16:03 skrev Joe Patterson: > > > you're misreading that rule. > > I'm not, you know. > > Actually, from what you say, I don't know whether you are writing about > "his" rule or "my" rule. > > What "my" rule says, is: > > "If it's NEW, and if the SYN flag isn't set exclusively, then: > > a: Log it to prefix NEW-NOT-SYN:; > b: Drop it. > > Alternatively, what "he" says is the basis of *many* stealth scans (like > Xmas tree) and other nastiness, as I said. > > I've masses of documentation and someone far more talented than I am > passed on this rule to me. Not to speak of Oskar Andreasson, who also > says more or less the same in his tutorial :-) > > Tony > > -- > > Tony Earnshaw > > e-post: [EMAIL PROTECTED] > www: http://www.billy.demon.nl > gpg public key: http://www.billy.demon.nl/tonni.armor > > Telefoon: (+31) (0)172 530428 > Mobiel: (+31) (0)6 51153356 > > GPG Fingerprint = 3924 6BF8 A755 DE1A 4AD6 FA2B F7D7 6051 3BE7 B981 > 3BE7B981 > > >
