Vulnerability Development mailing list archives
Re: iptables 'new but not syn' packets
From: Cedric Blancher <blancher () cartel-info fr>
Date: 14 Dec 2001 11:13:00 +0100
le jeu 13-12-2001 à 15:20, Leonardo Rodrigues a écrit :
Dropping INVALID packets seems to not deal with these packets. As I stated, iptables recognizes them as NEW state. So a rule that drop INVALID ones wouldnt care about them.
INVALID is a specific state for packets which state cannot be classified as NEW, ESTABLISHED or RELATED. Which means INVALID packets are very ugly :/ NEW state is relative to existing connection table : a packet that cannot be attached to a existing connection is NEW, wether it is a TCP SYN or not. As an example, an ICMP error hich is not RELATED to an ESTABLISHED connection has an INVALID state. -- Cédric Blancher Consultant sécurité systèmes et réseaux Cartel Informatique - Groupe CGBI - http://www.cartel-info.fr/ Tél : 01 44 06 97 87 - Fax 01 44 06 97 99
Current thread:
- Re: iptables 'new but not syn' packets Leonardo Rodrigues (Dec 13)
- Re: iptables 'new but not syn' packets Cedric Blancher (Dec 14)