> Is my assumtion correct that state RELATED,ESTABLISHED > checks all flags > for match and thus this state can (and should be for > performance reasons) > be the first in each table ? No, it checks the *state*. The first packet that is seen in a connection has state NEW, the rest have state ESTABLISHED or RELATED (as with e.g. ftp). Since these packets are let's say 99% in a connection, the ESTABLISHED and RELATED match will match the most packets. Also see the byte/packet counters for this (first 2 columns in the list below). That's why you probably want that rule somewhere on top for performance reasons because the rules are traversed in the order they are entered, and therefore matched in the order they are entered. > Chain INPUT (policy DROP 0 packets, 0 bytes) > pkts bytes target prot opt in out source > destination > 15172 2029K ACCEPT all -- any any anywhere > anywhere state RELATED,ESTABLISHED Rule 1 (state checking) > 0 0 BADTCP tcp -- any any > anywhere anywhere tcp > flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG Rule 2 (flag checking) So you have 2 separate rules ; 1 for state and 1 for flag checking. Gr, Rob
