Antony Stone <Antony@xxxxxxxxxxxxxxxxxxxx> - Sun, Dec 14, 2003: > What do you gain from having them match NEW, which isn't already true if they > match --syn? Frankly speaking, I am not certain of the true benefits I will ever enjoy of forcing both NEW and --syn. But the topic of where to place the limit in the types of traffic you accept would be too much of a troll to discuss here... ;) I see the TCP flags and the conntrack as two different providers for the information "this is a new TCP connections". I think I should only believe a new connection takes place when both agree, because my goal is to stop suspicious traffic. As a dumb example of traffic I could reject with such a rule, I could take an injected SYN packet in the middle of a real TCP connection generating a tcp-reset and effectively closing the connection. This could be an efficient manner of closing a connection in a way which couldn't easily be seen. Call me paranoid, I prefer to call myself ignorant of what somebody could do if I don't disallow this :) Is this clear enough? or too far-fetched? Sincerely, -- Loïc Minier <lool@xxxxxxxx>
