"-m state -state NEW" or "--tcp-flags ALL SYN" for tcp?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello

Is it better to use "-m state -state NEW" or to use "--tcp-flags ALL
SYN" for tcp packets. There are also the lines
iptables -A INPUT/FORWARD -m state --state INVALID -j DROP
iptables -A INPUT/FORWARD/OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
in the firewall script.

A tcp packet without a SYN flag can never be in state NEW (according to
my tests). Instead iptables discovers this packet as garbage and flags
it with INVALID.

-- 
Jörg Schütter           http://www.lug-untermain.de/
joerg@xxxxxxxxxxxxx     http://www.schuetter.org/joerg/
ICQ: 298982789          http://mypenguin.bei.t-online.de/
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux