Firewall Wizards mailing list archives
Re: IPChains ?
From: <hesselsp () ashaman dhs org>
Date: Wed, 21 Feb 2001 10:11:00 -0500 (EST)
To my knowledge: no. This is a new feature in iptables. $ man iptables <snip> --tcp-flags [!] mask comp Match when the TCP flags are as specified. The first argument is the flags which we should exam ine, written as a comma-separated list, and the second argument is a comma-separated list of flags which must be set. Flags are: SYN ACK FIN RST URG PSH ALL NONE. Hence the command iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN will only match packets with the SYN flag set, and the ACK, FIN and RST flags unset. On Wed, 21 Feb 2001, Darich Runyan wrote:
Is there a way with IPChains to deny inbound packets with flags other than SYN if they did not originate from my system? I have setup a rule that disallows SYN connections ( using the -j DENY -y -l options ) to the external interface, but in order for the company internet access to work, it seems that I needed to allow the other flagged packets in. Any assistance with this would be appreciated. Thanks in advance for the help. Darich _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
-- --Paul _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- IPChains ? Darich Runyan (Feb 21)
- RE: IPChains ? Chris Beckwith (Feb 21)
- Re: IPChains ? hesselsp (Feb 21)