> > If checking for state NEW, is there any reason to also check if the > > --syn flag is set or is it enough to just rely on state NEW ? > > Depends on your degree of security paranoia :) ... > If you let through NEW packets which do not have SYN (only) > set, then the > result depends on the O/S on the machine they get forwarded > to. I suggest > http://www.insecure.org as a source of data on what different > systems do with > different strange flag combinations in packets they receive. > > One thing is almost certain - letting through NEW packets > which don't have SYN > set is very unlikely to result in an ESTABLISHED connection > being created. Thanks ! I'll be paranoid ;-).. Gr, Rob
