As far as I understand, an "ACK" packet can also start a "NEW" connection. If the connection remains idle for long, the Netfilter's connection tracking engine times out that connection and removes it's entry from the state table. Now when an "ACK" packet comes back after sometime, the connection tracking engine marks this as a "NEW" connection. However am not sure how the state changes to "ESTABLISHED". dhiraj -----Original Message----- From: Cedric Blancher [mailto:blancher@xxxxxxxxxxxxxxxxxx] Sent: 09 April 2003 11:33 To: carlosble@xxxxxxxx Cc: netfilter@xxxxxxxxxxxxxxxxxxx Subject: Re: new tcp connections, without SYN Le mer 09/04/2003 à 13:16, Carlos Ble a écrit : > Hi all. Two days ago, i added the policy that drops all new tcp connections > that starts without SYN to prevent port scaners and other attacks: > iptables -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \ > --log-prefix "NEW tcp try no SYN:" > iptables -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP You can add RELATED state to this : iptables -A bad_tcp_packets -p tcp ! --syn -m state \ --state NEW,RELATED -j DROP > Another question: I had disabled the icmp answers : > echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all > echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts > to try to be "invisible" for some wicked programs . > will i have problems with some other programas that makes ping > before establish a connection? If a program waits for a ping reply before attempting connection, sure you'll have problems. You can mitigeate this issue dealing echo requests with your ruleset, and so having some addresses that still can ping. -- Cédric Blancher <blancher@xxxxxxxxxxxxxxxxxx> IT systems and networks security - Cartel Sécurité Phone : +33 (0)1 44 06 97 87 - Fax: +33 (0)1 44 06 97 99 PGP KeyID:157E98EE FingerPrint:FA62226DA9E72FA8AECAA240008B480E157E98EE