Now I know I might need to recompile iptables with tcp-nopickup patch. Can you please elaborate more on what it does.
And, also someone please write back rules to block port scans (do I HAVE to block ICMP completely for that?).
Rahul
Cedric Blancher wrote:
Le mer 09/04/2003 à 18:04, dhiraj.2.bhuyan@xxxxxx a écrit :
I tried sending an "ACK" packet from behind my Netfilter firewall to a
machine on the public side that actually doesn't exist.
A look in the /proc/net/ip_conntrack tells me that Netfilter tracked this
connection as "ESTABLISHED" but "UNREPLIED". So Netfilter does infact allow
starting a TCP connection with an ACK packet.
Yes it does, unless you apply tcp-nopickup patch that enforces NEW and RELATED TCP packets must be SYN ones, flaging others as INVALID.
This behaviour allows one to handle connections for which firewall have not seen SYN packet, such as asymetrical routing, failover, reboot and stuff.
--
__ __ __ __
/_/ /_ \ _/ / / \ Institute for Agriculture
__ __/ / \ _/ / / / and Trade Policy
/ / / / / / / __/ 2105 First Ave S
/ / / / / / /_ / / Minneapolis MN 55404
\/ \__/ \__/ \/ http://www.iatp.orgI N F O R M A T I O N T E C H N O L O G Y
The best things in life are done by people with nowhere to turn.
-The Blind Assassin (Margaret Atwood)