On Thu, 2004-12-02 at 18:44, Lopsch wrote: > Yes I know but the manpages donÂt work here donÂt know why. you may want to look into that... > Hmm but then > itÂs better to explicit drop packets like ... --tcp-flags SYN,FIN > SYN,FIN before using a line like this ... --syn -m state --state NEW ... > because this would also allow the usage of SYN,FIN for new connections. yeah--if you want to drop flag combinations, you would normally do that first, before accepting any connections. > And thatÂs not a legal set. Or isnÂt it necessary to drop those packets > because TCP will take care of that and send RST for them? no. the point is not to allow TCP to do its thing--that's how scanners like nmap work, by processing a host's response to weird flag combinations... -j -- "When I grow up, I'm going to Bovine University!" --The Simpsons
