Vulnerability Development mailing list archives

Re: iptables 'new but not syn' packets

From: Cedric Blancher <blancher () cartel-info fr>
Date: 14 Dec 2001 11:13:00 +0100

le jeu 13-12-2001 à 15:20, Leonardo Rodrigues a écrit :

    Dropping INVALID packets seems to not deal with these packets. As I
stated, iptables recognizes them as NEW state. So a rule that drop
INVALID ones wouldnt care about them.


INVALID is a specific state for packets which state cannot be classified
as NEW, ESTABLISHED or RELATED. Which means INVALID packets are very
ugly :/ NEW state is relative to existing connection table : a packet
that cannot be attached to a existing connection is NEW, wether it is a
TCP SYN or not.
As an example, an ICMP error hich is not RELATED to an ESTABLISHED
connection has an INVALID state.

-- 
Cédric Blancher
Consultant sécurité systèmes et réseaux
Cartel Informatique - Groupe CGBI - http://www.cartel-info.fr/
Tél : 01 44 06 97 87 - Fax 01 44 06 97 99

Current thread:

Re: iptables 'new but not syn' packets Leonardo Rodrigues (Dec 13)
- Re: iptables 'new but not syn' packets Cedric Blancher (Dec 14)