Le mer 09/04/2003 à 18:04, dhiraj.2.bhuyan@xxxxxx a écrit : > I tried sending an "ACK" packet from behind my Netfilter firewall to a > machine on the public side that actually doesn't exist. > A look in the /proc/net/ip_conntrack tells me that Netfilter tracked this > connection as "ESTABLISHED" but "UNREPLIED". So Netfilter does infact allow > starting a TCP connection with an ACK packet. Yes it does, unless you apply tcp-nopickup patch that enforces NEW and RELATED TCP packets must be SYN ones, flaging others as INVALID. This behaviour allows one to handle connections for which firewall have not seen SYN packet, such as asymetrical routing, failover, reboot and stuff. -- Cédric Blancher <blancher@xxxxxxxxxxxxxxxxxx> IT systems and networks security - Cartel Sécurité Phone : +33 (0)1 44 06 97 87 - Fax: +33 (0)1 44 06 97 99 PGP KeyID:157E98EE FingerPrint:FA62226DA9E72FA8AECAA240008B480E157E98EE
