Vulnerability Development mailing list archives
iptables 'syn but not new' packets
From: "Leonardo Rodrigues" <coelho () persogo com br>
Date: Tue, 11 Dec 2001 15:56:19 -0300
Hello Guys, I was reading an interesting thing about iptables ( http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial .html#AEN1632 ). It explains that iptables CAN recognize packets that have the syn bit OFF as state NEW. The author of the document recomends: $IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "New not syn:" $IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP That makes completly sense. NEW packets with syn bit turned off should never exists in real world. I'm having, as the author warned, some packets being logged by this rule. Altough, machine is working completly fine and no clients have complained about it. So, it seems it's really some 'nasty' tcp/ip implementation. Questions are: Do somebody here have ever studied about this 'feature' of iptables ?? Can you imagine some problem generated by this rule ?? Note: I do NOT have two firewalls and I'll probably dont. So, the redundant firewall explained by the author is not applied for me, as so it shouldnt be for lots of iptables users, that have just one machine. Sincerily, Leonardo Rodrigues Persocom Network
Current thread:
- iptables 'syn but not new' packets Leonardo Rodrigues (Dec 11)
- Re: iptables 'syn but not new' packets Blue Boar (Dec 11)
- Re: iptables 'syn but not new' packets Alex Butcher (vuln-dev) (Dec 12)
- Re: iptables 'syn but not new' packets Leonardo Rodrigues (Dec 13)
- Re: iptables 'syn but not new' packets Cedric Blancher (Dec 14)
- <Possible follow-ups>
- Re: iptables 'syn but not new' packets Leonardo Rodrigues (Dec 13)
- Re: iptables 'syn but not new' packets Blue Boar (Dec 11)