On Wednesday 02 October 2002 8:40 pm, pfy wrote: > hi > there sems to be a bug in tcp connection tracking: if a > connection does NOT close with a RST, then the state of the > connection rests ESTABLISHED. I disagree. Standard FIN-ACK packets close connections perfectly well. > So if you put a rule up like this on a attacker machine: > iptables -A OUTPUT --dst <victim> -p tcp --tcp-flags ALL, RST -j DROP Let's see, what does this rule do ? On *my* machine (assuming I'm the attacker :-), it stops me sending RST (only) packets to the specific destination.... Now, why would my machine want to send a RST packet anyway ? > and then connection flood the victim, the connection track table > will overflow Well, yes, this is pretty much the definition of a connection flood. Nothing to do with RST packets.... Have I misunderstood something significant here ? Antony. -- Anything that improbable is effectively impossible. - Murray Gell-Mann, Nobel Prizewinner in Physics