On Thu, 2004-09-23 at 18:02, Dimitar Katerinski wrote: > Sorry, a little bit off topic, but I allways go red about such kind of crappy rules: > > > Use DNAT target. In short what you need to do is: > > > > iptables -A FORWARD -m state --state NEW -j ACCEPT > > Do you know what you just did? You've just allowed any kind of > connections, protocols to any port and from/to any destionation. Cute, > isn't it? Remember, --state NEW, never ever have meant, and I doubt > it'll ever mean that this is an tcp connection with only SYN bit set. It > could be everyting, ACK,URG,PSH etc. So guess what, you just open a wide > hole in your so called "firewall" machine. You better use --tpc-flags or > --syn alias for such purposes. --state NEW can be used for redundant > firewalling for example, but for me it has no use. if you're going to go on a tirade about the problem with that rule, at least point out the actual problem: it doesn't specify the inbound interface and/or source network(s): iptables -A FORWARD -i $INTERNAL_IF -m state --state NEW -j ACCEPT modifying it to use "-p tcp --syn" still allows all TCP traffic through the FORWARD chain in both directions. -j -- Jason Opperisano <opie@xxxxxxxxxxx>
