but, If I put these rule for first for example: iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -m state --state NEW -p tcp ! --syn -j DROP these mean for connection tracking that if I receive a packet, with all flag not equal to SYN, that not belongs to any ESTABLISHED or RELATED connection, netfilter will DROP the packet. so, I think that this mean that it will drop any out of state packets, also ACK out of state, isnt'it ? >Le lun 07/07/2003 à 17:38, Lombardo Federico a écrit : >> INVALID state also matches ACK out of state packets ? > >Unless you've patched your kernel with tcp-no-pickup patch, no. > >-- >Cédric Blancher <blancher@xxxxxxxxxxxxxxxxxx> >Consultant en sécurité des systèmes et réseaux - Cartel Sécurité >Tél: +33 (0)1 44 06 97 87 - Fax: +33 (0)1 44 06 97 99 >PGP KeyID:157E98EE FingerPrint:FA62226DA9E72FA8AECAA240008B480E157E98EE
