#37 Protection Rule

[fireholuser]

Hi,

I see that protection rules are applied in such a way that INVALID packets are dropped even before them being identified as bad-packets (xmas, NULL,etc).

Shouldn't the bad-packets being tracked before?

Therefore, INVALID chain should appear at the bottom.

i.e. after "fragments new-tcp-w/o-syn icmp-floods syn-floods malformed-xmas malformed-null malformed-bad"

Please correct me if I'm wrong?

With the current default firehol settings, I see no hits on chains for malformed-* packets.

Thanks in advance.

fiu.

[Costa Tsaousis]

Logged In: YES
user_id=582393
Originator: NO

ou may be right.
From the iptables man page:

Possible states are INVALID meaning that the packet could not be identified
for some reason which includes running out of memory and ICMP errors which don't
correspond to any known connection...

If the connection tracker marks as INVALID all those matched by the firehol
protections, then the protections are meaningless and should not exist in a
tool like firehol.
Anyway, I have moved the invalid match last in the list of protections
(in v1.262).