On Wednesday 09 April 2003 13:33, Cedric Blancher wrote: > Le mer 09/04/2003 à 13:16, Carlos Ble a écrit : > > Hi all. Two days ago, i added the policy that drops all new tcp > > connections > > that starts without SYN to prevent port scaners and other attacks: > > iptables -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \ > > --log-prefix "NEW tcp try no SYN:" > > iptables -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP > > You can add RELATED state to this : > > iptables -A bad_tcp_packets -p tcp ! --syn -m state \ > --state NEW,RELATED -j DROP That doesn't necessarily help though. Our firewall also has a 'new, not syn' filter and it gets hit a LOT. On average about 20% of all blocked packets. Another 20% are unexpected RSTs (i.e. RST that's cannot be mapped to a RELATED or ESTABLISHED connection.) It has been like this for quite some months, and everything works as expected but we never found the cause of these new not syns and unexpected resets. (Yes, related traffic _is_ properly accepted, so that can't be the case.) -- Martijn
