Is ipchains -y secure enough?

["Philip Stoev" <philip () stoev org>]

Excuse me for the ignorance, but I would like to ask if the community
considers ipchains rules containing the -y flag as secure for the purpose of
TCP filtering. Such a rule will prevent the stablishment of TCP connections
to the host being firewalled. Is there a way to curcumvent such a
protection?

I am mostly interested if direct attacks (as if there is no firewall rule at
all) are possible. I know that if there is a broken proxy server or a web
interface or something else that can be used as a launch pad, such filters
may not help. However, what can an attacker do to a filtered service if no
other vulnerable or insecure service exists?

We assume that there are no UDP services running on the machine being
firewalled (as -y filters do not apply to those) and that the TCP/IP stacks
are stable enough (no DoS conditions, floods, etc.).

Yes, I know that port scanners can bypass -y filters and still map the host
being firewalled, however is there more that can be done against such a
host?

Thanks in advance.

Philip