Re: [Jwall-developers] reverse rules
Status: Alpha
Brought to you by:
zacklink
Menu
▾
▴
Re: [Jwall-developers] reverse rules
|
From: zack <za...@th...> - 2003-11-04 03:24:36
|
This has been fixed. Zack Jörg Schütter wrote: >Hallo List > >On Wed, 29 Oct 2003 19:19:40 +0100 >Jörg Schütter <jw...@sc...> wrote: > > > >>Hallo Zachary, >> >>On Tue, 28 Oct 2003 18:03:28 -0500 (EST) >>"Zachary Link" <za...@th...> wrote: >> >> >> >>>>To prevent someone to send garbage as the first tcp packet, we >>>>should add the match "--tcp-flags ALL SYN" >>>> >>>> >>>Isn't that the same as -state NEW ? So it looks like we can either >>>add -state NEW OR add --tcp-flags ALL SYN to the rule, but both >>>would be redundant. I will probably try to incorporate the -state >>>NEW, just as it looks a little cleaner. >>> >>> >>You are right. A tcp packet without a SYN flag can never be in state >>NEW. Instead iptables discovers this packet as garbage and flags it >>with INVALID. So there will be no need for this --tcp-flag. >> >> > >Oops, a first tcp packet with the ACK set, but without any SYN can be in >state NEW. Due to this, it would be safer to use "-syn" or "--tcp-flags >ALL SYN" to tcp rules. > >Jörg > > > |
