Le mer 09/04/2003 à 13:16, Carlos Ble a écrit : > Hi all. Two days ago, i added the policy that drops all new tcp connections > that starts without SYN to prevent port scaners and other attacks: > iptables -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \ > --log-prefix "NEW tcp try no SYN:" > iptables -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP You can add RELATED state to this : iptables -A bad_tcp_packets -p tcp ! --syn -m state \ --state NEW,RELATED -j DROP > Another question: I had disabled the icmp answers : > echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all > echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts > to try to be "invisible" for some wicked programs . > will i have problems with some other programas that makes ping > before establish a connection? If a program waits for a ping reply before attempting connection, sure you'll have problems. You can mitigeate this issue dealing echo requests with your ruleset, and so having some addresses that still can ping. -- Cédric Blancher <blancher@xxxxxxxxxxxxxxxxxx> IT systems and networks security - Cartel Sécurité Phone : +33 (0)1 44 06 97 87 - Fax: +33 (0)1 44 06 97 99 PGP KeyID:157E98EE FingerPrint:FA62226DA9E72FA8AECAA240008B480E157E98EE
