Re: [Fwbuilder-discussion] How to negate TCP flags
Brought to you by:
mikehorn
From: Andre R. <and...@gm...> - 2008-02-26 17:23:36
|
On Tuesday 26 February 2008 12:57:57 Stephan Windmüller wrote: > Hello! > > Firewall Builder allows me to set a mask of TCP flags which should be > checked and which must be set. But iptables is also able to handle a > negation of this, for example > > iptables -A INPUT -p tcp -m tcp --sport 22 ! --tcp-flags SYN,RST,ACK SYN -j > ACCEPT > > allows every connection from an SSH server but not the initiation of > connection from there. No. This rule does not make any sense. Connection FROM ssh server ? What do you want to mean ? SSHD generating connections ? If you want to ensure ACCEPT to reply packets, why you don't use --state ? > > Is there any way to design this with Firewall Builder? > > TIA > Stephan |