On Thu, Oct 30, 2003 at 11:53:25AM +0100, Maciej Soltysiak wrote: > > If you're really paranoid, you can also enforce that TCP packets flagged > > as ESTABLISHED should not be SYN ones : > > > > iptables -A FORWARD -m state --state ESTABLISHED -p tcp \ > > ! --syn -j ACCEPT > And If you're really really PARANOID try this for new TCP :-) > iptables -A FORWARD -p tcp -m state --state NEW --syn -m length \ > --length 40:68 -j ACCEPT I know that this assumption works for almost 100% of cases as the SYN packet almost never carries payload (currently) but there is nothing in the RFC prohibiting that, or is there? Just trying to comply with the standards. rfc793 ----- ... Several examples of connection initiation follow. Although these examples do not show connection synchronization using data-carrying segments, this is perfectly legitimate, so long as the receiving TCP doesn't deliver the data to the user until it is clear the data is valid (i.e., the data must be buffered at the receiver until the connection reaches the ESTABLISHED state). The three-way handshake reduces the possibility of false connections. ... ----- Ramin > New SYN packets are 40 to 68 bytes (depending on IP options) - without > payload. > > Regards, > Maciej >
