Vulnerability Development mailing list archives
iptables 'syn but not new' packets
From: "Leonardo Rodrigues" <coelho () persogo com br>
Date: Tue, 11 Dec 2001 15:56:19 -0300
Hello Guys,
I was reading an interesting thing about iptables (
http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial
.html#AEN1632 ). It explains that iptables CAN recognize packets that
have the syn bit OFF as state NEW. The author of the document recomends:
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j
LOG --log-prefix "New not syn:"
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
That makes completly sense. NEW packets with syn bit turned off
should never exists in real world.
I'm having, as the author warned, some packets being logged by this
rule. Altough, machine is working completly fine and no clients have
complained about it. So, it seems it's really some 'nasty' tcp/ip
implementation.
Questions are: Do somebody here have ever studied about this
'feature' of iptables ?? Can you imagine some problem generated by this
rule ??
Note: I do NOT have two firewalls and I'll probably dont. So, the
redundant firewall explained by the author is not applied for me, as so
it shouldnt be for lots of iptables users, that have just one machine.
Sincerily,
Leonardo Rodrigues
Persocom Network
Current thread:
- iptables 'syn but not new' packets Leonardo Rodrigues (Dec 11)
- Re: iptables 'syn but not new' packets Blue Boar (Dec 11)
- Re: iptables 'syn but not new' packets Alex Butcher (vuln-dev) (Dec 12)
- Re: iptables 'syn but not new' packets Leonardo Rodrigues (Dec 13)
- Re: iptables 'syn but not new' packets Cedric Blancher (Dec 14)
- <Possible follow-ups>
- Re: iptables 'syn but not new' packets Leonardo Rodrigues (Dec 13)
- Re: iptables 'syn but not new' packets Blue Boar (Dec 11)